SSH fails if required cryptography not configured.
search cancel

SSH fails if required cryptography not configured.

book

Article ID: 204196

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Legacy weak ciphers / Hash / KEK algorithms are not allowed  as a Default at higher versions of PAM.  List of cryptographic algorithms need to be configured to match those supported by the SSH servers to connect to.

 

Environment

Release : 3.4 and higher

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

One of the Cryptographic parameters required for PAM to connect to SSH server is found missing.  The cryptographic parameters that need to configured in PAM's Configuration>Security>Cryptography are for 

a. Key Exchange  (kek)

b. Hash (mac)

c. Ciphers 

 

 

Resolution

This issue can be resolved two ways-

1. PAM UI's Configuration>Security>Cryptography screens have to be updated following a connect error like such. PAM provides PAM's (our's) configured parameters and what are found at the peer server. This error "No match in kex params" is screenshot shown below for the Key Exchange (kex) parameters missing situation. Such a screen can be shown by PAM for Key Exchange (kek), Hash (mac) or for Ciphers if supported version on the SSH server is not configured in PAM. Configure PAM Cryptographic parameters as called out for the peer.

2. Use the "nmap" utility after installing it on one of your servers for example use "yum install nmap" on one of  your RHEL servers. Then execute the nmap command like shown below (providing space separated Hostnames or  IP addresses)

[[email protected] ~]# nmap -sS -p 22 --script=ssh2-enum-algos HOSTNAME1 HOSTNAME2

Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-01 18:05 EST
Nmap scan report for HOSTNAME1 (xx.xx.xx.xx)
Host is up (0.00068s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (5)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms (10)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms (2)
|       none
|_      [email protected]

Nmap scan report for HOSTNAME2 (xx.xx.xx.xx)
Host is up (0.000053s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (5)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms (10)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms (2)
|       none
|_      [email protected]

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.62 seconds
[[email protected] ~]#

Additional Information

Use the following PAM UI screen (Configuration>>Security>>Cryptography) to configure the cryptographic parameters (using the nmap output) required for connection to the SSH server.

Note that there are two tabs. The SSH Proxy configuration affects TCP/UDP services using the SSH protocol and launching a local SSH client such as PuTTY, which is then connected to the target server through an SSH Proxy running on the PAM server. Services are launched from the "Services" column on the PAM client access page. The SSH Mindterm configuration is for the built-in PAM SSH client. This is launched by clicking on an icon labeled SSH in the Access Methods column of the access page. If your users are configured with the built-in access method, you have to modify the SSH Mindterm settings instead of (or maybe in addition to) the SSH Proxy settings shown below. Clicking on the eye icons will show available items for each list.

 

Attachments