Can't use auto-connect after viewing a password that has a Dual Auth Password View Policy

Document ID : KB000100494
Last Modified Date : 13/06/2018
Show Technical Document Details
A target account is configured with a password view policy (PVP) that requires dual authentication. There is no distinction between authentication for view or auto-connect in the PVP. But we find that approval allows only one type of password access, either for view or for auto-connect. While approved for password view, the account cannot be used for auto-connect, and vice versa.
Steps to reproduce:
1. Create a Password View Policy that has Dual Auth configured.
2. Add the Password View Policy to a target account
3. Use the target account as part of a policy for both auto-connect and password view
4. As the user of the policy you just created, login to PAM and view the password.
5. Try auto-connect by clicking the ssh button under the access method column.
Result: Error message: PAM-CM-1128: Password request is only approved for View (not Auto-Connect).
PAM 3.2, the latest release at the time of writing, or any lower release.
PAM by design is approving only a specific type of password access. 

This is working as designed. The main use of auto-connect is for users to be able to access a target device without having to know the credentials. In general it is not desirable to give the user access to the password when auto-connect is configured and granted. Similarly, if there is a need for password view, the expectation is that this is done for a purpose other than connecting to a target device through PAM, and the approval is for that specific purpose.

The corresponding messages, which are documented e.g. at, are consistent with the design:

PAM-CM-1128 = Password request is only approved for View (not Auto-Connect).

PAM-CM-1129 = Password request is only approved for Auto-Connect (not View).

If you have a business need for approvals that cover both types of account password use, please raise an idea on the PAM community site . As of June 6, 2018 we don't see an open idea specifically for the issue discussed here.