Command Filter List doesn't work

Document ID : KB000047039
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

Defined command filters are enforced only while in the original login shell when accessing a target device using SSH. When the shell is changed during the session, the command filters no longer work.

 

 

Cause:

The command filter feature uses the original shell prompt string, as defined with $PS1, to determine when the filter is to be enforced. This is to prevent errors when allowed commands are entered that require input, and the input strings, which are not commands, match a defined filter. However, this check causes a problem when the shell prompt changes, e.g. by entering a different shell. The new prompt is not regarded a shell prompt and command filters will no longer be enforced.
 

 

Workaround:   

Define $PS1 for all allowed shells such that it will result in the same string, or update the filters such that the users cannot enter a shell with a different prompt.
Or integrate with CA PAM Server Control and use that to control user access to commands.