We created a target application of type "Palo Alto" and a target account associated with the target application for a privileged account. The password is correct and the account can be used successfully for auto-login to the device using the SSH applet in PAM. But when we try to verify the password in PAM it fails, and the tomcat log shows the following error:
com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: Failed to find regular expression pattern(s) while reading from the communications channel: [(?si).*(@PA-)]
This affects PAM 3.X releases including the latest release as of the writing of this Doc, PAM 3.2.2.
The default Palo Alto target connector script for credential verification uses a regular expression that requires substring "@PA-" as part of the shell prompt. On many Palo Alto devices the prompt is different. A common syntax is "<username>@<hostname>PA-XXX>". In a clustered environment it may look different yet. The "PA-" substring may or may not be part of the user prompts. Typically they have the "@" character and the ending ">" character in common.