Couldn't agree on kex algorithm
search cancel

Couldn't agree on kex algorithm


Article ID: 138429


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)



Recently we upgraded to PAM 3.3.x and 3.4.x, when connecting to a Unix/Linux Targets Devices in PAM we are getting the following error:


This used to work in our previous release


Release : 3.3.x, 4.x



In PAM 3.3.x we document the following prerequisites:


Review Strong Cryptography on Cisco and UNIX Target Connectors and the SSH Access Method


Release 3.3 supports the latest recommended strong cryptography for secure SSH communications in the SSH Access Method, and in Cisco and UNIX target connectors. These target servers must support at least one of the security algorithms from each of the three categories that are listed here: Upgrade Prerequisites for 3.3.



If you are using Cisco or UNIX target connectors, or the SSH Access Method, upgrade the ciphers, kex, and hmacs information on the UNIX server and Cisco Router 

before you upgrade to 3.3.  For more information on upgrading ciphers, see your Unix server and Cisco Router documentation.




The error that you are receiving because the Device Target System doesn't have or support a cipher that we support.

In PAM 3.3.x and higher we updated our SSH Applet and removed SHA-1 support for SSH Access. 

However not all functionality for SHA-1 was removed.  

If you running PAM 3.3.x in Non-Fips mode, you can still use SHA-1 in conjunction with our Unix/Cisco Connectors.

These connectors are used for Password Management.



Additional Information

To put a little more perspective around this:

  • Running with platforms that still support SHA-1 ciphers is considered a potential vulnerability:
  • Therefore having Redhat 5.x and some older Cisco Devices in your environment is a security risk.  The /etc/ssh/ssh_config cannot be updated/enhanced to support SHA-2 ciphers.

In PAM (Non-Fips) , we still have the following workarounds:

  1. You can still manage the passwords (rotate them) with SHA-1, however we cannot access them via our SSH applet in PAM.
  2. Create a TCP/UDP Service for PuTTy that has the Application Protocol as "Disabled" -> this bypasses PAM and goes directly to the target system. (Note: when using this option you cannot due session recordings).

WARNING: In case if you choose "Application Protocol: Disabled", there would be "View Credential" button that would appear where users can view the username and password in clear-text.

Finally; to determine what ciphers you have implemented on your Unix/Linux System -> please use the following nmap commands:

nmap -p 22 --script ssh2-enum-algos <ip address>

This command will advise all security algorithms that the target system supports.  These target servers must support at least one of the security algorithms from each of the three categories listed here:

As of 3.3.4, PAM has added the ability to customize the SSH cipher suite used to connect. For more information, please refer to the documentation.

This feature was also added to PAM 3.4.2: