SSH fails if required cryptography not configured.
Article ID: 204196
Updated On:
Products
Issue/Introduction
Legacy weak ciphers / Hash / KEK algorithms are not allowed as a Default at higher versions of PAM. List of cryptographic algorithms need to be configured to match those supported by the SSH servers to connect to.
Environment
Release : 3.4 and higher
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
One of the Cryptographic parameters required for PAM to connect to SSH server is found missing. The cryptographic parameters that need to configured in PAM's Configuration>Security>Cryptography are for
a. Key Exchange (kek)
b. Hash (mac)
c. Ciphers
Resolution
This issue can be resolved two ways-
1. PAM UI's Configuration>Security>Cryptography screens have to be updated following a connect error like such. PAM provides PAM's (our's) configured parameters and what are found at the peer server. This error "No match in kex params" is screenshot shown below for the Key Exchange (kex) parameters missing situation. Such a screen can be shown by PAM for Key Exchange (kek), Hash (mac) or for Ciphers if supported version on the SSH server is not configured in PAM. Configure PAM Cryptographic parameters as called out for the peer.
2. Use the "nmap" utility after installing it on one of your servers for example use "yum install nmap" on one of your RHEL servers. Then execute the nmap command like shown below (providing space separated Hostnames or IP addresses)
[[email protected] ~]# nmap -sS -p 22 --script=ssh2-enum-algos HOSTNAME1 HOSTNAME2
Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-01 18:05 EST
Nmap scan report for HOSTNAME1 (xx.xx.xx.xx)
Host is up (0.00068s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (5)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group14-sha1
| diffie-hellman-group-exchange-sha256
| server_host_key_algorithms (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms (3)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| mac_algorithms (10)
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms (2)
| none
|_ [email protected]
Nmap scan report for HOSTNAME2 (xx.xx.xx.xx)
Host is up (0.000053s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (5)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group14-sha1
| diffie-hellman-group-exchange-sha256
| server_host_key_algorithms (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms (3)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| mac_algorithms (10)
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms (2)
| none
|_ [email protected]
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.62 seconds
[[email protected] ~]#
Additional Information
Use the following PAM UI screen (Configuration>>Security>>Cryptography) to configure the cryptographic parameters (using the nmap output) required for connection to the SSH server.
Note that there are two tabs. The SSH Proxy configuration affects TCP/UDP services using the SSH protocol and launching a local SSH client such as PuTTY, which is then connected to the target server through an SSH Proxy running on the PAM server. Services are launched from the "Services" column on the PAM client access page. The SSH Mindterm configuration is for the built-in PAM SSH client. This is launched by clicking on an icon labeled SSH in the Access Methods column of the access page. If your users are configured with the built-in access method, you have to modify the SSH Mindterm settings instead of (or maybe in addition to) the SSH Proxy settings shown below. Clicking on the eye icons will show available items for each list.
Attachments
Feedback
