frankabhinav Super Contributor.
Super Contributor.
919 views

PAM 3.2

I have upgraded my PAM from 3.1 to 3.2 . Now i am configuring for SSH relay.
Following error is coming on my (Manager server) uinifid.log

Wed Dec 20 17:51:41 2017, 25, 525866752, 2287, Info, https GET /myaccess/ssh/pam-ssh.jnlp?targetHost=steven@192.168.1.xxxx&pamHost=
pam&pamPort=2222 client:192.168.1.xxxx rc:0 status:200(OK) (6ms)


on my client server(Agent server) following error is coming

Tue Dec 19 22:04:52 2017, 596, 115181312, 2720, Info, Registration successful for userapp (Unlicensed (pam)) to registry pam
Tue Dec 19 22:04:52 2017, 596, 115181312, 2720, Info, valid from Wed Dec 20 12:22:57 2017 to Fri Dec 22 13:10:01 2017
Tue Dec 19 22:04:52 2017, 599, 115181312, 2720, Info, Rechecking service registration in 23 hours
Tue Dec 19 22:05:20 2017, 604, 115181312, 2720, Info, rexec logMsg client:pam rc:0 status:0 (0ms)
Tue Dec 19 22:05:21 2017, 126, 116233984, 2720, Info, regclnt getSessionCache client:userapp rc:0 status:0 (2ms)
Tue Dec 19 22:05:21 2017, 126, 115181312, 2720, Info, rexec logMsg client:pam rc:0 status:0 (34ms)
Tue Dec 19 22:07:44 2017, 733, 101033728, 2720, Info, Error (5) accepting SSL connection from 192.168.1.176
Tue Dec 19 22:07:44 2017, 733, 101033728, 2720, Info, SSL_accept: error syscall 0
Tue Dec 19 22:51:04 2017, 635, 117286656, 2720, Info, Error (5) accepting SSL connection from 192.168.1.176
Tue Dec 19 22:51:04 2017, 636, 117286656, 2720, Info, SSL_accept: error syscall 0
unifid.log lines 266-302/302 (END)


I have also reffered this link below
https://www.netiq.com/support/kb/doc.php?id=7018265

On Manager server it is showing listening

tcp        0      0 127.0.0.1:51044         0.0.0.0:*               LISTEN      2797/xqd
tcp 0 0 0.0.0.0:13389 0.0.0.0:* LISTEN 2221/unifid
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 2221/unifid
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2293/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2672/sshd


But when i telnet 2222 on my client for manager it's showing me connected

Does the agent server 2222 must be open?
Do i have to put some certs ?. If yes which and where?

Both system are SUSE linux
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: PAM 3.2

On 12/20/2017 06:34 AM, frankabhinav wrote:
>
> I have upgraded my PAM from 3.1 to 3.2 . Now i am configuring for SSH
> relay.


I understand, then, that this was not setup or working with 3.1, meaning
this is not necessarily something broken after the move to 3.2.

> Following error is coming on my (Manager server) uinifid.log
>
> Code:
> --------------------
> Wed Dec 20 17:51:41 2017, 25, 525866752, 2287, Info, https GET /myaccess/ssh/pam-ssh.jnlp?targetHost=steven@192.168.1.xxxx&pamHost=
> pam&pamPort=2222 client:192.168.1.xxxx rc:0 status:200(OK) (6ms)
> --------------------


You described this as an error above, but I do not see why as this does
not look like an error to me either by its level ("info") or its HTTP
return (200). The IP addresses look broken, though, as they have 'x'
characters in them. If those were there to obfuscate data, please avoid
doing that, particularly since you are using private IP addresses, so they
are unavailable to anybody outside your network anyway.

> on my client server(Agent server) following error is coming
>
> Code:
> --------------------
> Tue Dec 19 22:04:52 2017, 596, 115181312, 2720, Info, Registration successful for userapp (Unlicensed (pam)) to registry pam
> Tue Dec 19 22:04:52 2017, 596, 115181312, 2720, Info, valid from Wed Dec 20 12:22:57 2017 to Fri Dec 22 13:10:01 2017
> Tue Dec 19 22:04:52 2017, 599, 115181312, 2720, Info, Rechecking service registration in 23 hours
> Tue Dec 19 22:05:20 2017, 604, 115181312, 2720, Info, rexec logMsg client:pam rc:0 status:0 (0ms)
> Tue Dec 19 22:05:21 2017, 126, 116233984, 2720, Info, regclnt getSessionCache client:userapp rc:0 status:0 (2ms)
> Tue Dec 19 22:05:21 2017, 126, 115181312, 2720, Info, rexec logMsg client:pam rc:0 status:0 (34ms)
> Tue Dec 19 22:07:44 2017, 733, 101033728, 2720, Info, Error (5) accepting SSL connection from 192.168.1.176
> Tue Dec 19 22:07:44 2017, 733, 101033728, 2720, Info, SSL_accept: error syscall 0
> Tue Dec 19 22:51:04 2017, 635, 117286656, 2720, Info, Error (5) accepting SSL connection from 192.168.1.176
> Tue Dec 19 22:51:04 2017, 636, 117286656, 2720, Info, SSL_accept: error syscall 0
> unifid.log lines 266-302/302 (END)
> --------------------


It would be nice if we could see more details about what the TLS/SSL
problem was. A LAN/wire trace (via tcpdump) could be useful to show how
the connection looks, and specifically which side is rejecting it,
possibly with a TLS alert.


sudo /usr/sbin/tcpdump -n -s 0 -i any -w /tmp/pam.cap -v


> On Manager server it is showing listening
>
> Code:
> --------------------
> tcp 0 0 127.0.0.1:51044 0.0.0.0:* LISTEN 2797/xqd
> tcp 0 0 0.0.0.0:13389 0.0.0.0:* LISTEN 2221/unifid
> tcp 0 0 0.0.0.0:*2222 * 0.0.0.0:* LISTEN 2221/unifid
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2293/rpcbind
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2672/sshd
>
> --------------------
>
> But when i telnet 2222 on my client for manager it's showing me
> connected


That sounds okay as a TCP-level test.

> *Both system are SUSE linux*


Which versions/SPs of SLES are you using for these?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: PAM 3.2

The above suggestions are great, for more details regarding PAM SSH-Relay, please refer to documentation:
https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/t42urslwgwm6.html#bskgwg9

PAM SSH Relay listens on port 2222, an ssh client connects to this, and then a relay/proxied connection is started from PAM SSH Relay server to the target run host server. So a scenario like this would be:
ssh client -> PAM SSH Relay (port 2222) -> target run host server (port 22 or whichever port is configured for this connection in the Enterprise Credential Vault)

The following command can be used to see what ssh connections are available to the user according to PAM CmdCtrl:
ssh -t -p2222 <PAMUser@sshrelayhost>
Or you can specify the target run host as well:
ssh -t -p2222 <PAMUser@sshrelayhost> <root@hostname>

Or you can use the MyAccess user portal to start this ssh relay connection as well with the applet.

Please verify the CmdCtrl rule has the Run Host configured properly.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.