Symantec Privileged Access Management

 View Only
  • 1.  Set a global command for transparent login (SSH)

    Posted Sep 04, 2019 05:06 PM

    Hi, 


    is it possible set a global comand like 'sudo' on pam for SSH Transparent Login, so when the users need to elevete their privileges something like 'sudo ls' or 'sudo mkdir demo' (just an example)  pam inject the password.

    Or I necesary have to inser all the commands that the users are going to use??


    Regards.



  • 2.  RE: Set a global command for transparent login (SSH)

    Broadcom Employee
    Posted Sep 05, 2019 11:15 AM
    Hello, Are you able to select a Transparent Login type of "sudo/pbrun" like the screenshot below? This would then insert the password for any use of sudo.


    Thanks,

    Josh




  • 3.  RE: Set a global command for transparent login (SSH)

    Broadcom Employee
    Posted Sep 05, 2019 11:27 AM
    Edited by Kevin Dedcovich Sep 05, 2019 11:31 AM

    Hi,

    You can do it on sudo as a whole, as depicted above.

    Or you can do it for certain commands.

    To do this in the PAM UI >> Configuration >> Security >> Access >> Turn On "Command String"

    Than you have two options in the drop down.

    Using the first option -> any command with sudo in front of it will work (even sudo su -)

    the second option (command string) - you can just link to a specific sudo command -> ie: sudo ls

    Regards,
    Kevin D.




  • 4.  RE: Set a global command for transparent login (SSH)

    Posted Sep 05, 2019 01:17 PM
    Hi Josh, Kevin,

    I used "sudo/pbrun" transparent login,


    but when i write something like sudo ls it shows "supervisor is not in the sudoers file. This incident will be reported"

    I understand that if i insert the user "supervisor" in this file, this user will have administrator privileges permanently so it will not be necesary request the root pasword everytime i write a sudo command. But i need that the application request for that password so PAM can inject it (similar to how 'command string' works). 

    Regards.



  • 5.  RE: Set a global command for transparent login (SSH)
    Best Answer

    Broadcom Employee
    Posted Sep 05, 2019 02:28 PM
    I think you misunderstand what the purpose of transparent login/sudo is. 

    Sudo never prompts for the "root" password, it prompts for the current logged in user password.  Adding a user to sudoers does not make them a permanent administrator, it allows them to elevate privileges for a single command.   

    To make an analogy, sudo is like UAC in windows; your user account may be in the administrators group on your workstation, but when you log in you cant do anything administrative until you elevate by passing a UAC prompt... this prevents scripts, viruses, etc that may be started by your day to day use of your computer from using your admin privileges without your knowledge

    If your sudoer's line uses the "nopasswd", option, then the user can do it without the password... however that's not recommended.  Without 'nopasswd', sudo will always prompt for a password (NOTE: sudo privileges will persist for a configurable period of time, so subsequent runs in that time window may not prompt)

    So essentially, what Transparent login is doing is allowing a user to ssh into a box with an unknown password, then run sudo commands and not be prompted for a password they don't know.


  • 6.  RE: Set a global command for transparent login (SSH)

    Broadcom Employee
    Posted Sep 05, 2019 11:21 AM
    Luis,

    I am not sure how you got to that screen.  The transparent login tab for linux/windows/other devices using ssh access method looks like below and you don't need to specify commands.  What type of device is this / how did you get this screen.  I cannot even find reference to those fields in relation to transparent login in our documentation.




  • 7.  RE: Set a global command for transparent login (SSH)

    Posted Sep 05, 2019 01:01 PM
    Hi Joseph,

    You can enable this option here.

    Regards.