search cancel

How to configure eTrust Access Control when using SSH

book

Article ID: 54104

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

Non-privileged users are being seen as root by the system, incorrectly allowing the users to run ALL AutoSys commands with full permissions.
  1. Using SSH, log in remotely to a Solaris AutoSys server as a user with no eTrust Access Control granted rights using SSH
  2. The Unix commands 'id' and 'whoami' return the correct logged username
  3. eAC command 'sewhoami' returns 'root'
  4. This allows the non-privileged user to impersonate 'root' and issue any AutoSys commands with full permissions.

Cause

This issue occurs when SSHD is not defined as a default login method in PIM.

Environment

Workload Automation
Privileged Identity Manager (A.K.A. eTrust Access Control, Control Minder, PIM, PAM SC).

Resolution

To update the default SSH login method, perform the following command as a PIM Administrator (Note: root is usually a PIM admin), where 'full path to login binary' points to the SSHD daemon (e.g. /usr/lib/ssh/sshd):

# selang -c "er loginappl SSHD loginpath(<full path to login binary>) owner(nobody) defacc (x)"

Note: If there are any spaces in the SSHD path, surround it with single-tick quotes (e.g. '/usr/path with spaces/ssh/sshd')

 

Additional Information

Additional Information on PIM's selang utility:
https://docops.ca.com/ca-privileged-identity-management/12-8-01/en/reference/selang-reference-guide