Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Failed to establish a communications channel to the remote host

    Posted Aug 04, 2022 03:48 AM
    Hello, everyone

    Hundreds of UNIX destination accounts fail to verify their credentials with the following error:

    PAM-CM-1341: Failed to establish communication channel for remote host.

    Do you happen to know why this error occurs?

    The apache log was collected, but an error message was generated as follows.

    WARNING: **** ACCOUNT VERIFICATION FAILED: targetAccount ID: 1802' due to 'Error Code: 15212
    Error Details: null
    Error Message: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    Exception: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    Stack Trace: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:278)
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:153)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.getConnectedChannel(ChannelBeanShellScriptProcessorImpl.java:401)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:88)
    at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:121)
    at com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager.verifyCredentials(UnixAdvancedTargetManager.java:89)
    at com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:673)
    Caused by: com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:221)
    ... 6 more

    Is success: false
    Warning Message: null
    Result Details: null
    '

    Do you know any suggestions?


  • 2.  RE: Failed to establish a communications channel to the remote host

    Broadcom Employee
    Posted Aug 05, 2022 09:57 AM

    PAM-CM-1341: Failed to establish a communications channel to the remote host is a somewhat generic error message.

    Unfortunately you dont say if this is hundreds on one server, or hundreds of servers, nor do you say whether or not these accounts use a master account or manage their own passwords.

    The best way to troubleshoot is to look a the security/auth logs on the servers themselves and see if it logged the attempt and if so, why it rejected it.

    If it didn't log anything at all, most likely you have a network connectivity issue.  If it does log something, it will likely explain why it failed.

    Here are a few things I could see that might cause hundreds of accounts to suddenly lose the ability to verify:

    • Something changed in the configuration on those servers, especially with the SSH config, but could also be changes to sudoers or other settings.
    • Last password change was too long ago, and accounts have expired.
    • Network changes are preventing connecting to ssh from PAM.
    • Someone changed the passwords outside of PAM.
    • PAM previously changed the passwords, but then the database was restored to an older version, or a snapshot was restored.
    • PAM previously changed the passwords during a cluster outage (while database was unlocked on one node), then cluster was started using a different node as the source, overwriting the new passwords with the old.

    Regardless, you need to determine if its connectivity (network or server config), or an out of sync (PAM has wrong password) condition.  If its connectivity, then once you fix that, you should just be able to reverify the accounts.  If PAM is truly out of sync, you may be in for a lot more work.



    Original Message