We are experiencing hundreds of our UNIX target accounts are failing to verify credential and error showing as below,
PAM-CM-1341: Failed to establish a communications channel to the remote host
It's very hard to debug such issues without any proper error messages. can you please help to find out what are all the scenarios when we get this error.
Bipin, If you set the tomcat log level to Info you should get more detailed messages on why the connection fails in the tomcat log. You control this on the Configuration > Diagnostics > Diagnostic Logs page, and you can download the tomcat log under the Download tab. There could be a firewall issue, there could be a key exchange issue etc.
After enabling tomcat log to info, I can see more details but nothing significant
INFO: start executing the default UNIX credentials verification scriptJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debugINFO: authenticating using SSH-2 in keyboard interactive modeJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debugINFO: formulating a response to the first set of prompts receivedJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.KeyboardInteractiveInfo$Prompt matchesINFO: prompt 'Password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|:).*?)'Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.KeyboardInteractiveInfo$Prompt setResponseINFO: responding to prompt 'Password: ' with '<not logged>'Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScriptINFO: stopping script processorJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHUserInfoImpl promptKeyboardInteractiveINFO: keyboard-interactive authentication: successfully executed a scriptJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 logINFO: jsch: Authentications that can continue: passwordJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 logINFO: jsch: Next authentication method: passwordJun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 logINFO: jsch: Login trials exceeds 1Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 logINFO: jsch: Disconnecting from 10.10.88.99 port 22Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.app.impl.lp cWARNING: **** ACCOUNT VERIFICATION FAILED: targetAccount ID: 1393' due to 'Error Code: 15212Error Details: nullError Message: PAM-CM-1341: Failed to establish a communications channel to the remote host.Exception: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.Stack Trace: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host. at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:152) at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:73) at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.getConnectedChannel(ChannelBeanShellScriptProcessorImpl.java:401) at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:88) at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:121) at com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager.verifyCredentials(UnixAdvancedTargetManager.java:89) at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:672)Caused by: com.jcraft.jsch.JSchException: Auth fail at com.jcraft.jsch.Session.connect(Session.java:512) at com.jcraft.jsch.Session.connect(Session.java:183) at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:122) ... 6 more
Hi Bipin, This is missing a lot of useful information, but at least we can see that the SSH connection is established and we are responding to the password prompt on login. Is the target account configured to verify its own password? Is the password currently stored in PAM the correct one, i.e. can you use it successfully for auto-login?
Yes it is configured to verify it's own account and password is currently stored in PAM but auto login is not happening. if password is not getting verified, how auto login can happen ? I don't think red flagged accounts can be used for login.
They can be 2 things
1. That in the target application you selected the script that does not correspond to the Linux distribution
2. That the direct login with the root user is disabled and they always have to scale privileges from another account, if this is the case it suffices to eliminate this restriction that is commonly used.
Please let us know how it went
Hi Bipin, If the password is not right, we wasted time investigating the verification process because we know it cannot succeed. The question is how the password got out of sync. There are two possibilities:
In case 2) the current password of the target account would be the previous password in PAM, which you can get by looking at the password history. Which one is it?