Why is TPAM failing to access /etc/shadow on a Linux system when testing an account?
When testing an account, the command sent to the Linux system from TPAM (when using password authentication) is:
ssh -2 -v -l <FUNC_ACCOUNT> -p <PORT> -o PubKeyAuthentication=no -o NumberOfPasswordPrompts=1 -o ConnectTimeout=<TIMEOUT> <IP_ADDRESS> <DELEGATION_PREFIX> grep -w <FUNC_ACCOUNT> /etc/shadow
Methods to correct the permissions depend on the environment and requirements. The functional account will need to be able to grep the /etc/shadow file.
Possible solutions would be to add the Linux functional account to the Linux system 'sudoers' file and then add the 'sudo' (or 'su' depending on the target system) command to the 'Delegation Prefix' on the 'Systems Management | Details | Information" tab.
Alternatively, the permissions of the /etc/shadow file could be modified directly, or using groups.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center