The following steps and configurations are required for review to resolve this issue.
Confirm the Linux systems /etc/shadow file and sudoers' file?
The "Linux" platform uses grep -w /etc/shadow for "Test System" and "Check Password", and the passwd command for "Reset Password".
In may cases, when performing a Test System, Reset Password or Check Password for Unix/Linux Systems and Accounts, a failure will provide output that explains the problem.
The command that TPAM is trying to send will be seen near the top, such as:
spawn -nottyinit /usr/bin/ssh -v -2 -l funcacct -i /home/edmzpar/keys/********************* -p 22 -o BatchMode=yes -o PasswordAuthentication=no -o ConnectTimeout=25 10.10.10.10 sudo grep -w funcacct /etc/shadow
In this case, TPAM is attempting to grep the /etc/shadow file with the user funcacct. Does this user have the necessary permission to do so?
Towards the bottom, there are errors related to connection problems or authentication failures.
ssh: connect to host 10.10.10.10 port 22: Connection refused
- Is the network address correct? Is the port blocked? Is there a network routing issue?
It will cycle through the available authentication methods:
debug1: Authentications that can continue: publickey,password
When it cannot authenticate successfully using any of the available methods, it will report:
debug1: No more authentication methods to try.
- Verify that your functional account credentials are correct and that the necessary authentication methods have been enabled. (ie. If password authentication is being used, has it been enabled in the ssh_config file on the system?)
When testing an account, the command sent to the Linux system from TPAM (when using password authentication) is:
ssh -2 -v -l <FUNC_ACCOUNT> -p <PORT> -o PubKeyAuthentication=no -o NumberOfPasswordPrompts=1 -o ConnectTimeout=<TIMEOUT> <IP_ADDRESS> <DELEGATION_PREFIX> grep -w <FUNC_ACCOUNT> /etc/shadow
Methods to correct the permissions depend on the environment and requirements. The functional account will need to be able to grep the /etc/shadow file.
Possible solutions would be to add the Linux functional account to the Linux system 'sudoers' file and then add the 'sudo' (or 'su' depending on the target system) command to the 'Delegation Prefix' on the 'Systems Management | Details | Information" tab.
Alternatively, the permissions of the /etc/shadow file could be modified directly, or using groups.
Linux and other Unix systems
Defaults:funcacct !requiretty
funcacct ALL=(root) NOPASSWD: /bin/grep
funcacct ALL=(root) NOPASSWD: /usr/bin/passwd
funcacct ALL=(root) NOPASSWD: /bin/sed # Only required for Account Discovery
Then Log into TPAM and go to the *nux system that are configured to be managed by the functional account (funcacct) created.
On the system’s Details tab in the "Delegation Prefix" enter the full path and location of sudo.
Example: /usr/bin/sudo
Click “Save Changes”, then click “Test System” and a successful message should appear.
Different versions of Linux and UNIX may require slightly different
parameters for SSH configuration. Consult a Linux/UNIX system administrator for assistance.
Edit the sshd configuration file on the client system (/etc/ssh/sshd_config) to include the
following in the “ Authentication” section:
PasswordAuthentication - yes
PermitRootLogin - yes
PermitUserEnvironment - yes
Pubkey Authentication - yes
AuthorizedKeysFile . ssh/authorized_keys