Symantec Privileged Access Management

  • 1.  PAM: Failed to establish a communications

    Posted Jun 22, 2018 10:54 AM

    Hi,

    We are experiencing hundreds of our UNIX target accounts are failing to verify credential and error showing as below,

     

    PAM-CM-1341: Failed to establish a communications channel to the remote host

     

    It's very hard to debug such issues without any proper error messages. can you please help to find out what are all the scenarios when we get this error.

     

    Thanks,

    Bipin



  • 2.  Re: PAM: Failed to establish a communications

    Broadcom Employee
    Posted Jun 22, 2018 11:51 AM

    Bipin, If you set the tomcat log level to Info you should get more detailed messages on why the connection fails in the tomcat log. You control this on the Configuration > Diagnostics > Diagnostic Logs page, and you can download the tomcat log under the Download tab. There could be a firewall issue, there could be a key exchange issue etc.



  • 3.  Re: PAM: Failed to establish a communications

    Posted Jun 22, 2018 12:10 PM

    Hi Ralf,

     

    After enabling tomcat log to info, I can see more details but nothing significant

     

    INFO: start executing the default UNIX credentials verification script
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debug
    INFO: authenticating using SSH-2 in keyboard interactive mode
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debug
    INFO: formulating a response to the first set of prompts received
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.KeyboardInteractiveInfo$Prompt matches
    INFO: prompt 'Password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|:).*?)'
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.KeyboardInteractiveInfo$Prompt setResponse
    INFO: responding to prompt 'Password: ' with '<not logged>'
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScript
    INFO: stopping script processor
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHUserInfoImpl promptKeyboardInteractive
    INFO: keyboard-interactive authentication: successfully executed a script
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
    INFO: jsch: Authentications that can continue: password
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
    INFO: jsch: Next authentication method: password
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
    INFO: jsch: Login trials exceeds 1
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
    INFO: jsch: Disconnecting from 10.10.88.99 port 22
    Jun 22, 2018 4:04:34 PM com.cloakware.cspm.server.app.impl.lp c
    WARNING: **** ACCOUNT VERIFICATION FAILED: targetAccount ID: 1393' due to 'Error Code: 15212
    Error Details: null
    Error Message: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    Exception: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    Stack Trace: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:152)
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:73)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.getConnectedChannel(ChannelBeanShellScriptProcessorImpl.java:401)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:88)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:121)
    at com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager.verifyCredentials(UnixAdvancedTargetManager.java:89)
    at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:672)
    Caused by: com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:512)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:122)
    ... 6 more



  • 4.  Re: PAM: Failed to establish a communications

    Broadcom Employee
    Posted Jun 22, 2018 02:13 PM

    Hi Bipin, This is missing a lot of useful information, but at least we can see that the SSH connection is established and we are responding to the password prompt on login. Is the target account configured to verify its own password? Is the password currently stored in PAM the correct one, i.e. can you use it successfully for auto-login?



  • 5.  Re: PAM: Failed to establish a communications

    Posted Jun 22, 2018 03:40 PM

    Hi Ralf,

    Yes it is configured to verify it's own account and password is currently stored in PAM but auto login is not happening. if password is not getting verified, how auto login can happen ? I don't think red flagged accounts can be used for login.

     

    Thanks



  • 6.  Re: PAM: Failed to establish a communications

    Posted Jun 22, 2018 04:10 PM

    Hi

     

    They can be 2 things

     

     

    1. That in the target application you selected the script that does not correspond to the Linux distribution

    2. That the direct login with the root user is disabled and they always have to scale privileges from another account, if this is the case it suffices to eliminate this restriction that is commonly used.

    Please let us know how it went



  • 7.  Re: PAM: Failed to establish a communications
    Best Answer

    Broadcom Employee
    Posted Jun 22, 2018 04:27 PM

    Hi Bipin, If the password is not right, we wasted time investigating the verification process because we know it cannot succeed. The question is how the password got out of sync. There are two possibilities:

    1. The password was changed outside of PAM.
    2. PAM updated the password with a Success return code, but the password in fact was not changed on the target device.

     

    In case 2) the current password of the target account would be the previous password in PAM, which you can get by looking at the password history. Which one is it?