Symantec Privileged Access Management

  • Private Community

  • 1.  CA PAM - CA Gateway

    Posted May 22, 2017 10:32 AM

    Hi,

     

    How do I enable transparent login for CA API Gateway (SecureSpan Gateway V8.4.01) when the option 3 - Use a privileged shell (root) is selected?

     

    As of now the user is automatically logged on the Gateway server. But when he selects the Option 3 the password is asked to be entered("[sudo] password for user:"), password which is not known to the user, hence the user cannot get through.

     

    Please if you could let me know how to configure PAM with API Gateway.  

     

    Many thanks.

     

    Best regards,

    Cristina Apostol



  • 2.  Re: CA PAM - CA Gateway

    Broadcom Employee
    Posted May 22, 2017 05:01 PM

    Hi Cristina,

     

    I have not tested this specific use case, but this sounds like a situation where the Transparent Login/command string features would be useful. Based on your description of how the connection to the system works it would be hard to say if this will work or not. Usually this feature monitors for the user typing the command (like sudo), not an automated process like this. I have done some light testing using a script to call sudo and it appears that PAM does not pick up that call, it only picks it up when it is directly executed from the command line. I was able to use the command string feature to get around that by setting the command line to the command used to run the script. However since you are not running the script, but interacting with something that is already running this may not work. 

     

    When you select 3, do you have to press enter? If so that may be good enough for command string to pick it up, you can try putting '3' as the command string and '[sudo] password for' as the authentication prompt.

     

    Documentation on SSH Transparent Login:

    SSH Connections - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation 

     

    Hope this helps!,

    -Christian



  • 3.  Re: CA PAM - CA Gateway

    Posted May 24, 2017 10:43 AM

    Hi Christian,

     

    Thank you for your response.

     

    I did try your sugesstion to use Command String, then enter 3 and [sudo] as auth prompt but it does not work.

    The menu is displayed once I click on Putty from PAM Access Page:

     

     

    Once I enter 3 and press Enter I am still asked to provide the password:

     

     

    And here are my configurations in PAM:

     

     

    Am I doing something wrong? or am I missing something? Please if you could advise further on this.

     

    Many thanks.

     

    Best regards,

    Cristina Apostol



  • 4.  Re: CA PAM - CA Gateway
    Best Answer

    Broadcom Employee
    Posted May 24, 2017 12:22 PM

    Hi Christina, I don't think this can work. We have logic to detect when we are at the shell prompt. Otherwise we might be sending a password while a script/executable runs that happens to send strings to stdout matching the configured commands. Since access to the device is controlled by PAM, would it be possible to configure sudo such that it does not require the user's password? This is not recommended in general, but might be acceptable if logon to the device is restricted sufficiently.



  • 5.  Re: CA PAM - CA Gateway

    Posted Jun 06, 2017 07:14 AM

    Hi Ralf,

     

    Thank you very much for your response.

     

    I have asked the customer to configure the server as you advised and I am waiting now for their thoughts on this, if they are happy to do so.

     

    Regards,

    Cristina