search cancel

Shared Account Manager Cannot Connect to SSH Endpoints After Modifying sshd_config


Article ID: 224910


Updated On:


CA Privileged Identity Management Endpoint (PIM)


After updating sshd_config on Linux servers to only use SHA-2 kex algorithms, Shared Account Manager can no longer connect to them to rotate the passwords. An error similar to the one below, may occur.

Fatal: Check in Privileged Account. Failed to change the account password Native error: Failed to connect to host, Cannot open a new session




Privileged Identity Manager 12.8, 12.9, 14.0


SAM uses a third-party jar file to make the connections to SSH devices. This file is limited to SHA-1 kex algorithms.


As this is caused by a third-party jar file, we cannot modify the code to use SHA-2 algorithms. This would be addressed in a future release, but SAM is set to be end of life and will have no future releases. The solution would be to migrate to Privileged Access Manager 4.0 , which has SHA-2 capabilities and integrates with PIM or PAMSC endpoints.

To maintain SAM functionality until the migration to PAM, add diffie-hellman-group14-sha1 to the kex algorithms in sshd_config to allow SAM to connect while minimizing what SHA-1 algorithms are accepted by the server.

Additional Information

Shared Account Manager End Of Life Announcement:

Documentation to Migrate From PIM or PAMSC to PAM 4.0: