Anyone step me through Casper Remote permissions?

Taylor_Armstron
Valued Contributor

Running into an issue, and realize I'm not sure how something is supposed to work, and the admin guide doesn't go into depth on the specific issue.

Attempting to push a package via Casper remote (or screen share, or just about anything else).

I am logging into Casper Remote using my admin account, which has full administrator access to the JSS.

When I attempt to install a package, or anything else I'm trying, it attempts to create the ssh session, gets to the "Authenticating" stage in the activity window, and then fails.

If I am watching the logs on the client machine when this happens, I get the following error:
"sshd: error: PAM: permission denied for <management account>: from <my workstation> via <my IP>"

I'm seeing this on virtually every machine I've tried so far (out of 15-20).

My question:
What account does Casper Remote attempt to connect as? The management account? The admin account I've logged on with? Judging from the logs, it appears to be using the management account. I can't easily test as the PWD is generated randomly and unique to each machine, but I have no trouble connecting via SSH using any other account, and the "Remote Logon" preference pane is set to allow "all users" for testing at the moment.

Any clues where to start looking?

5 REPLIES 5

mm2270
Legendary Contributor III

It uses the JSS management account as you already suggested. Question. You said:

I can't easily test as the PWD is generated randomly and unique to each machine

How is the password being randomly generated? Something during the initial enrollment, or a policy after the fact using the management account payload?
If the password gets changed for that account outside of a policy in Casper Suite, it will break the JSS's and subsequently Casper Remote's ability to use it since it stores the management account password in a hash in the database and will retrieve it for each machine when it needs to.

Taylor_Armstron
Valued Contributor

Thanks @mm2270

As you suggested - pwd randomly set during enrollment, never touched since. Just bugging me - tested on approx 15-20 systems last night, and I connected to two, and failed on all others. Haven't had time to dig into what is special about those two yet, but it was enough to bug me. I almost would have preferred that it fail across the board :)

I'll try resetting the PWD (in Casper Remote) and see if that manages to work, but I'm guessing it will fail there as well. If nothing else, I can test changing the PWD on a test box via a JSS policy, then try.

mm2270
Legendary Contributor III

I would instead scope a quick policy to a few of the machines failing to do a management account reset (to a new random password) and make sure to use the recurring check-in trigger. Since Recurring check-in is run via the LaunchDaemon, it runs the commands as root and should have no problem resetting the management account passwords on them. Once its run successfully, try doing a Casper Remote session on them to see if it works.
If it does, then somehow the random password never got stored correctly for those records in the JSS, which is possible. You'd need to open that pwd reset policy on all your Macs to be able to use Remote then.

I'm taking some guesses here. There could be some other cause going on that I'm not thinking of, that someone else might. But it can't hurt to do the above pwd reset policy on a couple of affected systems as a test. Since its a random password anyone, it will just be a new random password for a few of them.

Josh_Smith
Contributor III

@Taylor.Armstrong I had this issue when using a random password as well. I think it has to do with special characters in the random passwords....which is why sometimes it works and sometimes it doesn't. I switched to using one password for the management account (which I don't even know, some random string) and the issues completely went away. Casper Remote always works now, and has since I made the change.

Randomly generating passwords is great, which is why I chose it to begin with, but wasn't a requirement for us. JAMF has had several bugs related to certain characters in passwords, so I just worked around the issue and have been much happier. I'd be interested to know if others are using the random password feature successfully.

cgolebio
New Contributor III

Question: Do you have a local passcode policy set to expire passcodes after a certain interval?

I ran into this where the management account passcode expired because it is a local account and I had set it for 60 days via configuration profile. Once I reset and updated the JSS with the new password, all was working again.