PAM -- Issue vaulting a server PAM-CM-1341: Failed to establish a communications channel to the remote host.
search cancel

PAM -- Issue vaulting a server PAM-CM-1341: Failed to establish a communications channel to the remote host.

book

Article ID: 256935

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to add a box, but we have issue, please read the attached file as there you can see the error message in the logs and the cipher that we have in PAM and in the server. We can connect to this host using putty directly and there does not appear to be an issue with the linux host.

 

: Connecting to <servername>.example.com port 22
2022-12-27T18:15:11.705+0000 INFO [UATM] ccccc T1778952 - jsch: Connection established
2022-12-27T18:15:11.753+0000 INFO [UATM] ccccc T1778952 - jsch: Remote version string: SSH-2.0-OpenSSH_7.4
2022-12-27T18:15:11.753+0000 INFO [UATM] ccccc T1778952 - jsch: Local version string: SSH-2.0-JSCH-0.1.72
2022-12-27T18:15:11.753+0000 INFO [UATM] ccccc T1778952 - jsch: CheckCiphers: [email protected],[email protected],aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,aes192-ctr
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: CheckKexes: curve25519-sha256,[email protected],curve448-sha512
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: curve25519-sha256 is not available.
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: [email protected] is not available.
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: curve448-sha512 is not available.
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: kex proposal before removing unavailable algos is: ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha256
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: kex proposal after removing unavailable algos is: ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha256
2022-12-27T18:15:11.754+0000 INFO [UATM] ccccc T1778952 - jsch: CheckSignatures: ssh-ed25519,ssh-ed448
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: ssh-ed25519 is not available.
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: ssh-ed448 is not available.
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: server_host_key proposal before removing unavailable algos is: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: server_host_key proposal after removing unavailable algos is: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: server_host_key proposal before known_host reordering is: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: server_host_key proposal after known_host reordering is: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
2022-12-27T18:15:11.755+0000 INFO [UATM] ccccc T1778952 - jsch: SSH_MSG_KEXINIT sent
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: SSH_MSG_KEXINIT received
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: ssh-ed25519
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: none,[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: none,[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: 
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: server: 
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: [email protected],[email protected],aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,aes192-ctr,aes192-cbc,3des-ctr
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: [email protected],[email protected],aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,aes192-ctr,aes192-cbc,3des-ctr
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected]
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: none
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: 
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: kex: client: 
2022-12-27T18:15:11.776+0000 INFO [UATM] ccccc T1778952 - jsch: Disconnecting from <servername>.example.com port 22
2022-12-27T18:15:11.778+0000 SEVERE [TP2] com.cloakware.cspm.server.app.impl.AddTargetAccountCmd.invoke AddTargetAccountCmd.invoke 15212: PAM-CM-1341: Failed to establish a communications channel to the remote host.

 

Environment

Release : PAM 4.x 

Any Unix/Linux

Cause

Reviewing the tomcat logs in PAM revealed the PAM appliance and the linux endpoint did not agree on a host signature algorithm as seen in these two lines. 

   jsch: kex: server: ssh-ed25519

   jsch: kex: client: ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss

The PAM JCSH service cannot use the only host signature that the sshd service is allowing "ssh-ed25519"

 

Further review of the sshd_config file indicated that the linux endpoint was configured to use all 3 of the following signature methods

[root@xxxx ]# grep HostKey /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Reviewing the keys indicated they were created correctly 

[root@xxxx ]# cat /etc/ssh/ssh_host_rsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
<additional txt here>
lvtFLfnTmAbuEAAAAAAQID
-----END OPENSSH PRIVATE KEY-----

 

The issue turned out to be a problem with the group ownership of the system keys

Resolution

Resetting the group to "ssh_keys" resolved the issue 

-rw-r----- 1 root root 227 Apr 8 2019 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 162 Apr 8 2019 ssh_host_ecdsa_key.pub
-rw------- 1 root root 387 Apr 8 2019 ssh_host_ed25519_key
-rw-r--r-- 1 root root 82 Apr 8 2019 ssh_host_ed25519_key.pub
-rw-r----- 1 root root 1679 Apr 8 2019 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 Apr 8 2019 ssh_host_rsa_key.pub

after

-rw-r----- 1 root ssh_keys 227 Apr 8 2019 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 162 Apr 8 2019 ssh_host_ecdsa_key.pub
-rw------- 1 root ssh_keys 387 Apr 8 2019 ssh_host_ed25519_key
-rw-r--r-- 1 root root 82 Apr 8 2019 ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1679 Apr 8 2019 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 Apr 8 2019 ssh_host_rsa_key.pub

This should not normally be necessary unless ownership of the sshd service was modified 

 

Additionally support for ssh-ed25519 has been added in PAM 4.1.2 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-2/release-information/new-features-and-enhancements-in-4-1-2.html

 

 

Additional Information

In another case showing such an error no common hash was supported. The target application had been configured in the past with a custom list of hashes, which is seen in a "kex: client:" log line, but after patching the target server, that list was no longer right:

...

2023-09-06T18:04:14.105+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T2469994 - jsch: kex: server: [email protected],[email protected],[email protected]

...

2023-09-06T18:04:14.106+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T2469994 - jsch: kex: client: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5-96,hmac-md5

...

In that case going back to the default list resolved the problem:

Powered by Wolken Software