SSH fails if required cryptography not configured.

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

As PAM gets upgraded, weaker ciphers/hashes/KEX algorithms are removed from the default configuration to make PAM more secure, which could lead to errors connecting to older devices with SSH. This KB explains how to list the cryptographic algorithms on an SSH device in order to configure PAM to connect properly.

Environment

Privileged Access Manager, all versions

Cause

One of the Cryptographic parameters required for PAM to connect to SSH server is found missing. The cryptographic parameters that need to configured in PAM's Configuration>Security>Cryptography are for

a. Key Exchange (kek)

b. Hash (mac)

c. Ciphers

d. Compression

e. Server Host Key

Resolution

There are a few options to list the cryptography settings for a target device.

1. PAM UI's Configuration>Security>Cryptography screens have to be updated following a connect error like such. PAM provides PAM's (our's) configured parameters and what are found at the peer server. This error "No match in kex params" is screenshot shown below for the Key Exchange (kex) parameters missing situation. Such a screen can be shown by PAM for Key Exchange (kek), Hash (mac) or for Ciphers if supported version on the SSH server is not configured in PAM. Configure PAM Cryptographic parameters as called out for the peer.

2. Use the "nmap" utility after installing it on one of your servers for example use "yum install nmap" on one of your RHEL servers. Then execute the nmap command like shown below (providing space separated Hostnames or IP addresses)

# nmap -sV -p 22 --script=ssh2-enum-algos HOSTNAME

Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

3. If nmap cannot be installed on the server, the following command can be run to list the sshd configuration.

# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkey\)"
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
hostkeyagent none
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key

Additional Information

Use the following PAM UI screen (Configuration>>Security>>Cryptography) to configure the cryptographic parameters (using the nmap output) required for connection to the SSH server.

Note that there are two tabs. The SSH Proxy configuration affects TCP/UDP services using the SSH protocol and launching a local SSH client such as PuTTY, which is then connected to the target server through an SSH Proxy running on the PAM server. Services are launched from the "Services" column on the PAM client access page. The SSH Mindterm configuration is for the built-in PAM SSH client. This is launched by clicking on an icon labeled SSH in the Access Methods column of the access page. If your users are configured with the built-in access method, you have to modify the SSH Mindterm settings instead of (or maybe in addition to) the SSH Proxy settings shown below. Clicking on the eye icons will show available items for each list.