SSH Key Discovery no longer working after upgrade to 3.1.1 or 3.2

Document ID : KB000097153
Last Modified Date : 18/05/2018
Show Technical Document Details
Issue:
A discovery job that used to find multiple accounts and SSH keys on a Linux device only finds the accounts since having upgraded to PAM 3.1.1. The SSH keys are still there and the same account is used for discovery. Nothing changed on the target device.
Environment:
PAM 3.1.1 or PAM 3.2
Cause:
In prior releases discovery jobs had a problem with SSH key discovery when the /etc/ssh/sshd_config file included a value for parameter AuthorizedKeysFile that had a relative path, such as
AuthorizedKeysFile .ssh/authorized_keys
PAM 3.1.1 and 3.2 fixed this problem, but didn't consider the case where an absolute path was configured, either explicitly or via use of the %h parameter, which represents the user's home directory. E.g. entry
AuthorizedKeysFile %h/.ssh/authorized_keys
allowed successful discovery of SSH keys in PAM 2.8 and 3.0, but causes a failure in PAM 3.1.1 and 3.2.
Resolution:
This problem will be fixed in the next release, PAM 3.3. As of May 18, 2018 there are not fixes available for either PAM 3.1 or 3.2. If you are using the default path "%h/.ssh/authorized_keys" anyway, you can resolve the problem by commenting out this line in the sshd_config file. If you have a customized path starting with %h/, you can remove that prefix as it is the default. If your devices use another absolute path, you cannot change it, and you don't find a published patch that includes a solution for your current release, please open a case with PAM support.