Shared Account Manager Cannot Connect to SSH Endpoints After Modifying sshd_config

book

Article ID: 224910

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

After updating sshd_config on Linux servers to only use SHA-2 kex algorithms, Shared Account Manager can no longer connect to them to rotate the passwords. An error similar to the one below, may occur.

Fatal: Check in Privileged Account. Failed to change the account password Native error: Failed to connect to host, Cannot open a new session

 

 

Cause

SAM uses a third-party jar file to make the connections to SSH devices. This file is limited to SHA-1 kex algorithms.

Environment

Privileged Identity Manager 12.8, 12.9, 14.0

Resolution

As this is caused by a third-party jar file, we cannot modify the code to use SHA-2 algorithms. This would be addressed in a future release, but SAM is set to be end of life and will have no future releases. The solution would be to migrate to Privileged Access Manager 4.0 , which has SHA-2 capabilities and integrates with PIM or PAMSC endpoints.

To maintain SAM functionality until the migration to PAM, add diffie-hellman-group14-sha1 to the kex algorithms in sshd_config to allow SAM to connect while minimizing what SHA-1 algorithms are accepted by the server.

Additional Information

Shared Account Manager End Of Life Announcement: https://support.broadcom.com/external/content/product-advisories/End-of-Life-Announcement-for-CA-Shared-Account-Manager/18109

Documentation to Migrate From PIM or PAMSC to PAM 4.0: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/pam-server-control/MIgrate-From-PIM-or-PAM-SC-to-PAM.html