Determine Required Cryptography When SSH Connections Through PAM Fail
Article ID: 204196
Updated On:
Products
Issue/Introduction
As PAM gets upgraded, weaker ciphers/hashes/KEX algorithms are removed from the default configuration to make PAM more secure, which could lead to errors connecting to older devices with SSH. This KB explains how to list the cryptographic algorithms on a target device in order to configure PAM to connect properly.
Cause
A mismatch of one or more of the following cryptographic parameters between the PAM appliance and target device.
- Key Exchange (kex)
- Hash (mac)
- Ciphers
- Compression
- Server Host Key
Resolution
There are a few options to list the cryptography settings for a target device.
1. At the time of the connection, an error such as the following will appear. PAM provides PAM's (our's) configured parameters and what are found at the peer server. This error "No match in kex params" is screenshot shown below for the Key Exchange (kex) parameters missing situation. Such a screen can be shown by PAM for Key Exchange (kek), Hash (mac) or for Ciphers if supported version on the SSH server is not configured in PAM. Configure PAM Cryptographic parameters as called out for the peer.
2. If allowed in the environment, install and use the "nmap" utility on one server, then execute the command like shown below (providing space separated Hostnames or IP addresses)
# nmap -sV -p 22 --script=ssh2-enum-algos HOSTNAME
Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-01 18:05 EST
Nmap scan report for HOSTNAME (xx.xx.xx.xx)
Host is up (0.00068s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (5)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group14-sha1
| diffie-hellman-group-exchange-sha256
| server_host_key_algorithms (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms (3)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| mac_algorithms (10)
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms (2)
| none
|_ [email protected]
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
3. If nmap cannot be installed on the server, the following command can be run on the target device to list the sshd configuration.
# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkey\)"
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
hostkeyagent none
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
Additional Information
Once the target device's cryptography has been listed, refer to KB406785 - How to Confirm the SSH Algorithms Supported By PAM to determine the incompatibility.
Feedback
