What ciphers are supported by the PAM SSH applet

book

Article ID: 107594

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



What ssh ciphers does the PAM SSH access method support?

Environment

Release:
Component: CAPAMX

Resolution

After taking a trace between PAM 3.2 and the ssh target the following information can be seen in PAM's response to the Key Exchange Init packet sent by the ssh target server:
kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
server_host_key_algorithms string: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss,ssh-rsa
encryption_algorithms_client_to_server string: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,aes192-cbc,aes256-cbc,3des-ctr,3des-cbc,arcfour,[email protected]
encryption_algorithms_server_to_client string: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,aes192-cbc,aes256-cbc,3des-ctr,3des-cbc,arcfour,[email protected]
mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96

These are the ciphers supported by PAM 3.2.  Older versions of PAM, specifically those older than 3.x, will show different information.  Attention must be paid to this information, as removing a cipher from the target server may make it impossible for PAM to connect to that server.  In addition, some ciphers that work with TLS 1.0 and TLS 1.1 will not work with TLS 1.2.  You can configure PAM to disable the use of TLS 1.0 and TLS 1.1, which will be necessary if the server does not have TLS 1.0 and TLS 1.1 enabled.