Problems verifying passwords on Palo Alto devices

Document ID : KB000115191
Last Modified Date : 19/09/2018
Show Technical Document Details
Issue:
We created a target application of type "Palo Alto" and a target account associated with the target application for a privileged account. The password is correct and the account can be used successfully for auto-login to the device using the SSH applet in PAM. But when we try to verify the password in PAM it fails, and the tomcat log shows the following error:
 com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: Failed to find regular expression pattern(s) while reading from the communications channel: [(?si).*(@PA-)] 
 
Environment:
This affects PAM 3.X releases including the latest release as of the writing of this Doc, PAM 3.2.2.
Cause:
The default Palo Alto target connector script for credential verification uses a regular expression that requires substring "@PA-" as part of the shell prompt. On many Palo Alto devices the prompt is different. A common syntax is "<username>@<hostname>PA-XXX>". In a clustered environment it may look different yet. The "PA-" substring may or may not be part of the user prompts. Typically they have the "@" character and the ending ">" character in common.
Resolution:
Use a replacement script in the Palo Alto target application with a regular expression that accommodates the shell prompts for all target accounts you want to vault in PAM.
Common parts of shell prompts are the "@" character and the ending ">" character. The USERPROMPT pattern in the sample verify script below uses this as basis. Implement a custom script as follows:

1. Edit the Palo Alto target application and go to the "Credentials Script" section.
2. Under Verify select "Use a replacement script".
3. Copy the replacement script into the "Replacement Script:" text box, possibly after updating the USERPROMPT pattern on line 13 to match the shell prompts of your accounts as needed. Reducing wildcards as much as possible improves protection against false matches.
4. Save the target application and try to verify the target account again. Now it should work.

User-added image


Sample replacement script:

// ***************************************************************************
// VERIFY CREDENTIALS SCRIPT
// ***************************************************************************

import com.cloakware.cspm.server.plugin.ExtendedTargetManager;

import com.cloakware.cspm.server.plugin.ClientChannelTimeoutException;
import com.cloakware.cspm.server.plugin.targetmanager.PaloAltoSSHTargetManager;
import com.cloakware.cspm.server.plugin.targetmanager.PaloAltoSSHTargetManager.AccountType;
import java.util.regex.Pattern;

log.debug( "start executing the modified Palo Alto Manager credentials verification script" );
Pattern USERPROMPT=Pattern.compile(".*(@..*>).*");

try {
    if (pwType.equals(AccountType.PRIVILEGED)) {
        channel.readUntil(USERPROMPT);
        result.setSuccess(true);
    } else if (pwType.equals(AccountType.USER)) {
        result.setSuccess( false );
        result.setErrorCode( PaloAltoSSHTargetManager.ERROR_CANNOT_UPDATE_AS_USER_ACCOUNT );
        result.setErrorMessage( "Cannot use another account's credentials to verify this account's credentials; the operation is not supported." );
        return;
    }
} catch ( ClientChannelTimeoutException ex ) {
  result.setSuccess( false );
  result.setErrorCode( PaloAltoSSHTargetManager.ERROR_FAILED_TO_VERIFY_ACCOUNT_CREDENTIALS );
  result.setException( ex );
  result.setErrorMessage( "Failed to verify credentials.  Review the log file for further information or else contact your Administrator." );
}