Check Password

Hello,

I have two accounts related to one system, when I use the check password button I realized that it uses the functional account to check other accounts, is ti possible to tech directly the account without using the functional account?

King Regards

Parents
  • Hi fran9991,

    TPAM Check Password will use the account itself to login to the target system and verify if the password that is saved in TPAM allows a successful login and if it succeeds then the check password is successful, however, if it fails the login then TPAM assumes a password mismatch. TPAM will use the functional account to verify if the managed account exists or disabled as part of the Check Password process. Also depending on what type of System platform is used, TPAM can have different requirements for Check Password to complete successfully.

    Thanks!

  • Hello Ahmad,

    This is the output that I get when I check the password, the default account is for test purposes, and then it tries to use the default but I want to test the utomcat, when I schedule a PSM session I can log on.  

    05/15/2020 17:26:07] Gathering the check details for utomcat on MX1EPS01BSAB...
    [05/15/2020 17:26:07] Retrieving the password hash for utomcat on MX1EPS01BSAB (Linux System) using default ...
    [05/15/2020 17:26:08] spawn -nottyinit /usr/bin/ssh -v -2 -l default -p 22 -o PubKeyAuthentication=no -o NumberOfPasswordPrompts=1 -o ConnectTimeout=20 10.242.208.26 grep -w utomcat /etc/shadow
    [05/15/2020 17:26:08] OpenSSH_7.4p1, OpenSSL 1.0.2j 26 Sep 2016
    [05/15/2020 17:26:08] debug1: Reading configuration data /etc/ssh_config
    [05/15/2020 17:26:08] debug1: Connecting to 10.242.208.26 [10.242.208.26] port 22.
    [05/15/2020 17:26:08] debug1: fd 3 clearing O_NONBLOCK
    [05/15/2020 17:26:08] debug1: Connection established.
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_rsa type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_rsa-cert type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_dsa type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_dsa-cert type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_ecdsa type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_ecdsa-cert type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_ed25519 type -1
    [05/15/2020 17:26:08] debug1: key_load_public: No such file or directory
    [05/15/2020 17:26:08] debug1: identity file /home/QuestService/.ssh/id_ed25519-cert type -1
    [05/15/2020 17:26:08] debug1: Enabling compatibility mode for protocol 2.0
    [05/15/2020 17:26:08] debug1: Local version string SSH-2.0-OpenSSH_7.4
    [05/15/2020 17:26:08] debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    [05/15/2020 17:26:08] debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
    [05/15/2020 17:26:08] debug1: Authenticating to 10.242.208.26:22 as 'default'
    [05/15/2020 17:26:08] debug1: SSH2_MSG_KEXINIT sent
    [05/15/2020 17:26:08] debug1: SSH2_MSG_KEXINIT received
    [05/15/2020 17:26:08] debug1: kex: algorithm: curve25519-sha256
    [05/15/2020 17:26:08] debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    [05/15/2020 17:26:08] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    [05/15/2020 17:26:08] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    [05/15/2020 17:26:08] debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    [05/15/2020 17:26:08] debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7Oy9BTOjbACWfAyVupSsW4svGwadBA6ZPkuan6Q3dF4
    [05/15/2020 17:26:08] debug1: Host '10.242.208.26' is known and matches the ECDSA host key.
    [05/15/2020 17:26:08] debug1: Found key in /home/QuestService/.ssh/known_hosts:4
    [05/15/2020 17:26:08] debug1: rekey after 134217728 blocks
    [05/15/2020 17:26:08] debug1: SSH2_MSG_NEWKEYS sent
    [05/15/2020 17:26:08] debug1: expecting SSH2_MSG_NEWKEYS
    [05/15/2020 17:26:08] debug1: SSH2_MSG_NEWKEYS received
    [05/15/2020 17:26:08] debug1: rekey after 134217728 blocks
    [05/15/2020 17:26:08] debug1: SSH2_MSG_EXT_INFO received
    [05/15/2020 17:26:08] debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
    [05/15/2020 17:26:08] debug1: SSH2_MSG_SERVICE_ACCEPT received
    [05/15/2020 17:26:08] debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    [05/15/2020 17:26:08] debug1: Next authentication method: password
    [05/15/2020 17:26:08] default@10.242.208.26's password:
    [05/15/2020 17:26:08] debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    [05/15/2020 17:26:08] debug1: No more authentication methods to try.
    [05/15/2020 17:26:08] Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    [05/15/2020 17:26:08] Unable to connect to the remote system, permission denied
    [05/15/2020 17:26:08] Unable to connect to MX1EPS01BSAB, or the account utomcat does not exist or is disabled.
    [05/15/2020 17:26:09] Processed the password check for utomcat on MX1EPS01BSAB in 1.983 seconds
  • Hi,

    Yes, both the default and the utomcat must be able to authenticate to the target system successfully.
    Test System results on this System must succeed before tying to perform a Check Password.

    Thanks!

  • I see Ahmad, 

    When it tries connect I understand that it uses different methods, in this case I got an error loading the pubic_key, I think that I have to generate the keys on TPAM, let me know if I'm wrong 

    Thank you for you help!

    King Regards

  • It is possible to use Password authentication and so the default account must exist on the target system and be able to login with a password then Test System will succeed. 

    If you will use key based authentication then yes, you will need the key generated and placed on the target Linux machine:

    https://support.oneidentity.com/tpam/kb/211748/how-to-generate-rsa-keys-for-authentication-on-linux-unix-systems-for-functional-or-privileged-accounts

    Thanks!

Reply Children
No Data