SSH commands executed through PAM failing due to ^E

Document ID : KB000123970
Last Modified Date : 02/02/2019
Show Technical Document Details
Issue:
When working in SSH sessions after launching the SSH applet in PAM 3.2.3, commands fail to get executed on some target devices. The command history shows a ^E character appended to the end of the line, or inserted wherever the cursor was positioned when the Enter key was hit, and the added character is causing the command to fail. This behavior may differ between individual accounts, especially when using different shells.
Environment:
CA PAM 3.2.3
SSH Devices
Cause:

There was a previous issue where some commands were getting garbled when executed with the cursor somewhere in the middle of the command. To resolve this problem, a feature was added in PAM 3.2.3 to send the shortcut key Ctrl + E (^E), which brings the cursor to the end of the line for common command line editing interfaces, immediately before sending Carriage Return (CR), the character sent when the user presses the Enter key on the keyboard. This works as expected in most Linux & UNIX systems, however on some systems the default command line editing interface does not support this shortcut. In that case the ^E character is inserted at the current cursor location, which may cause the command to fail. The character is added even when the cursor was at the end of the line already.

Note: It is possible that some accounts have working configurations on the same device, especially if they are using different shells or have customized login scripts.

Resolution:
Resolution: 

Hotfix 3.2.3.01 is available now on request. Please open a support case and request the hotfix if you experience this problem with PAM 3.2.3.
The problem also will be fixed in PAM 3.2.4, which is expected to be generally available in the week of Feb 11, 2019.

Without the hotfix the problem can be avoided by adding either of the following commands to a shell login script:
set -o vi
set -o emacs

Just running command "set -o vi" or "set -o emacs" from the command line after login also will stop the insertion of the Ctrl-E character.

Here are a few examples of files that may be updated (other files may exist depending on the shell, contact the system admin for more info on the specific system):

System-wide or shell-wide:
/etc/profile
/etc/bashrc
/etc/bash.bashrc

Individual Users:
~/.profile
~/.bashrc
~/.bash_profile
~/.cshrc
~/.kshrc
~/.login


Other Workaround:
If for some reason it is not possible to change the profile or a workaround is required while waiting on a change request it may be possible to work around this by using a TCP/UDP Service. PuTTY or a similar SSH client can be defined as a TCP/UDP Service and used instead of PAM's built-in SSH Client (see link below for instructions). This will still allow for PAM features like auto-login and recording so security can be maintained, but will require the SSH Client to be installed on the end user's PC.

TCP/UDP Service Creation:
https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/provisioning-devices/set-up-access-to-a-target-device/create-tcp-udp-services-to-access-a-device