How to configure eTrust Access Control when using SSH
Article ID: 54104
Updated On:
Products
CA Workload Automation AE - Business Agents (AutoSys)
CA Workload Automation AE - Scheduler (AutoSys)
Workload Automation Agent
Issue/Introduction
Non-privileged users are being seen as root by the system, incorrectly allowing the users to run ALL AutoSys commands with full permissions.
- Using SSH, log in remotely to a Solaris AutoSys server as a user with no eTrust Access Control granted rights using SSH
- The Unix commands 'id' and 'whoami' return the correct logged username
- eAC command 'sewhoami' returns 'root'
- This allows the non-privileged user to impersonate 'root' and issue any AutoSys commands with full permissions.
Environment
Workload Automation
Privileged Identity Manager (A.K.A. eTrust Access Control, Control Minder, PIM, PAM SC).
Privileged Identity Manager (A.K.A. eTrust Access Control, Control Minder, PIM, PAM SC).
Cause
This issue occurs when SSHD is not defined as a default login method in PIM.
Resolution
To update the default SSH login method, perform the following command as a PIM Administrator (Note: root is usually a PIM admin), where 'full path to login binary' points to the SSHD daemon (e.g. /usr/lib/ssh/sshd):
# selang -c "er loginappl SSHD loginpath(<full path to login binary>) owner(nobody) defacc (x)"
Note: If there are any spaces in the SSHD path, surround it with single-tick quotes (e.g. '/usr/path with spaces/ssh/sshd')
Additional Information
Additional Information on PIM's selang utility:
https://docops.ca.com/ca-privileged-identity-management/12-8-01/en/reference/selang-reference-guide
https://docops.ca.com/ca-privileged-identity-management/12-8-01/en/reference/selang-reference-guide
Feedback
Yes
No
Powered by
