Why is TPAM failing to access /etc/shadow on a Linux system when testing an account?
When testing an account, the command sent to the Linux system from TPAM (when using password authentication) is:
ssh -2 -v -l <FUNC_ACCOUNT> -p <PORT> -o PubKeyAuthentication=no -o NumberOfPasswordPrompts=1 -o ConnectTimeout=<TIMEOUT> <IP_ADDRESS> <DELEGATION_PREFIX> grep -w <FUNC_ACCOUNT> /etc/shadow
Methods to correct the permissions depend on the environment and requirements. The functional account will need to be able to grep the /etc/shadow file.
Possible solutions would be to add the Linux functional account to the Linux system 'sudoers' file and then add the 'sudo' (or 'su' depending on the target system) command to the 'Delegation Prefix' on the 'Systems Management | Details | Information" tab.
Alternatively, the permissions of the /etc/shadow file could be modified directly, or using groups.