Layer7 Privileged Access Management

Expand all | Collapse all

HOW TO: Configure Unix Master Accounts With a Different Authentication Protocol

Jump to Best Answer
  • 1.  HOW TO: Configure Unix Master Accounts With a Different Authentication Protocol

    Posted 05-15-2019 09:18 AM

    A client has the following Info Sec requirement:

     

    1. root SSH Access must be disabled on all unix boxes

    2. The root account must be managed by another unix account (master account)

    3. The Master account must use key-based auth on port 901

    4. The root account's (keyboard based) password must be changed 

     

    The Master account has the appropriate privileges to su to root on the target host.

     

    We've setup two Unix applications, one for port 22 (-unix) and another one for port 901 (-unix-901).

     

    We've created the two accounts, root (linked to -unix application) setup with password authentication and a masteraccount (linked to -unix-901 application) setup with key-based authentication.

     

    Both accounts are in a synchronized and "validated" state.

     

    Using a manual process, via putty, we are able to login to the unix host over 901 using the master account and key-based authentication. We can issue the passwd root command and change the password successfully, which leads us to believe that it should also be possible to do in PAM.

     

    However, when we try to generate credentials on the 'validated' root account, it fails.

     

    The client has a similar setup (root ssh is disabled and managed by another account) however,  in that case the master account is a centrify'd domain account  

     

    Is this a known issue? 

    is there some special configuration 



  • 2.  Re: HOW TO: Configure Unix Master Accounts With a Different Authentication Protocol
    Best Answer

    Posted 05-15-2019 10:39 AM

    Hi Seb, When you report a problem, please ALWAYS state the product release where the problem is observed. There was a known issue in PAM 3.X that is resolved in 3.2.4, see the following item on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/release-information/resolved-issues-in-3-2-4 :

     

    01229278DE395811

    Cannot verify and rotate the passwords of UNIX target accounts that are updated by an account using SSH Public Key authentication.

     

     

     

    By the way, I don't quite understand why you created two target applications. What is the use of the separate target application for the root account? Since root never logs on from PAM and cannot connect via SSH at all, the port of its target application is irrelevant. If you have other accounts that can login using port 22, then you need the second target application, but not for root.



  • 3.  Re: HOW TO: Configure Unix Master Accounts With a Different Authentication Protocol

    Posted 05-22-2019 10:27 AM

    Just to follow up.

     

    Client upgraded to 3.2.4.64 and the issue was resolved.

     

    Thanks again Ralf.



  • 4.  Re: HOW TO: Configure Unix Master Accounts With a Different Authentication Protocol

    Posted 05-15-2019 10:56 AM

    Thanks Ralf - sorry for not mentioning the version. it is 3.2.2.x.

     

    ... long story short,

     

    We do need the ability to SSH over 22 using other accounts for TL; whereas, for the master account,  we need to SSH over 901 using Key Auth.

     

    I understand that we don't need a separate application for root just to manage its password.

     

    Thanks for the reply.