Environment
Privileged Account Manager 3.2
Privileged Account Manager 3.1
Privileged Account Manager 3.0
Privileged Account Manager 3.1
Privileged Account Manager 3.0
Situation
Unable to SSH to Linux server using SSH Relay with SSH Private Key credential
SSH Relay connection prompts for either "Password:" or "Enter passphrase for private key:"
Private Key has no passphrase (unencrypted / passwordless)
SSH Private Key credential was initially configured with a blank or empty passphrase
Modifying the credential to an encrypted SSH Private Key (with passphrase) still fails
SSH Relay connection prompts for either "Password:" or "Enter passphrase for private key:"
Private Key has no passphrase (unencrypted / passwordless)
SSH Private Key credential was initially configured with a blank or empty passphrase
Modifying the credential to an encrypted SSH Private Key (with passphrase) still fails
Resolution
At the time of writing this document, a publicly available fix has not yet been made available. Please see the below workaround that addresses this issue.
Workaround:
Workaround:
- Verify the Private Key is encrypted with a passphrase. This is required for security purposes in PAM.
- Delete the problem credential from the SSH Account Domain in Enterprise Credential Vault.
- Create a new credential with SSH Private Key, with a proper passphrase configured.
- Assign this new credential in the SSH Account Domain.
- The ssh-relay connection should work properly with no additional passphrase/password prompt.
Cause
The problem occurs in the Enterprise Credential Vault with an SSH Account Domain when a credential is initially created with a blank or empty passphrase only. When trying to modify this credential later to configure to the correct passphrase, the change is not persisted, as an ssh-relay session still prompts for a password/passphrase. However, the same problem does not occur if some invalid passphrase is configured initially and only occurs if the initial passphrase was configured to be blank or empty.
Status
Reported to EngineeringAdditional Information
Duplication Steps:
- (conditional) Create an SSH key pair to use in this test:
https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/b1l9jm16.html#brxbky9
Note: Verify the public key has been copied to the authorized_keys file on the target run host. Be sure to create a private key with some passphrase to demo this entire problem scenario properly. - Create a new credential in Enterprise Credential Vault for this SSH Account Domain. Be sure to leave Passphrase blank for now and click Add Credential.
- Attempt an ssh-relay session to the server with the run user / run host configured here.
Note: Notice the prompt for "Password:" which would be the password of the private key. - Modify the credential for this SSH Account Domain from the Enterprise Credential Vault, re-enter the private key and this time enter the proper passphrase for this credential.
Note: It is now expected that the session will connect with no "Password:" prompt. - Attempt an ssh-relay session once again. Notice the same password prompt, which is actually a private key passphrase prompt. It appears the credential is not modified with the new / updated passphrase that is entered into the UI when the initial passphrase was blank or empty.