How to Apply the PAM SSH Debug Patch and Enable Debugging Services
Article ID: 198587
Updated On:
Products
Issue/Introduction
When troubleshooting an issue, Broadcom Support may need to access the PAM appliance through SSH. As of 4.x PAM, a new SSH debug patch is created monthly. Even though the patch is created monthly, the SSH debug patch will last for 90 days before expiring.
This KB article will explain how to upload the patch and enable debug services to prepare for SSH access request from Broadcom Support. This article discusses steps to undertake when you are requested by Broadcom Support to SSH access PAM nodes.
Resolution
The newest SSH debug patch will be provided by Broadcom through a support case, it is not published to any page on the Broadcom Support site. Once the file has been downloaded from the support case, perform the following steps to apply it and enable SSH debug services.
After logging into the PAM GUI, go to Configuration > Diagnostics > System and ensure that "Remote CA PAM Debugging Services" is turned off. If the SSH debug file is uploaded while the services are on, they must be turned off then back on in order to access the appliance through SSH.
After ensuring the debugging services are off, go to the Upgrade page and click CHOOSE FILE. Browse to the PAM_SUPPORT_SSH_DEBUG.bin file provided by Support, then click UPLOAD AND APPLY. Once it completes, it will be listed in the Upgrade History.
After applying PAM_SUPPORT_SSH_DEBUG.bin, go back to Diagnostics > System and enable the Debugging Services. Select how long for the services to remain on, up to 30 days, and click SUBMIT to save the change.
Now, open Putty and enter the IP or hostname of the appliance. Go to Connection > SSH > Auth and browse to the private key file (.PPK file) that accompanied PAM_SUPPORT_SSH_DEBUG.bin. Go back to Session, Enter the hostname or IP again under Saved Sessions, then click Save to save the configuration.
Additional Information
As of January 2025, there are now the following two versions of the SSH debug patch for PAM due to the encryption/decryption method change starting with the 4.2.1 release.
Applicable for the 4.2.0 release and older: PAM_SUPPORT_SSH_DEBUG_420-.p.bin
Applicable for the 4.2.1 release and newer: PAM_SUPPORT_SSH_DEBUG.p.bin
If the wrong version of the SSH debug is applied to a PAM appliance, there will be a PAM-CMN-1344 error with detailed message “Error verifying the authenticity of the upgrade package!”
Please note that the Upgrade History will list PAM_SUPPORT_SSH_DEBUG regardless of which patch is applied.
Feedback
