ssh-ed25519 cryptographic algorithm support leads to password rotation issues for target accounts on UNIX servers
search cancel

ssh-ed25519 cryptographic algorithm support leads to password rotation issues for target accounts on UNIX servers

book

Article ID: 264953

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

ssh-ed25519 cryptographic algorithm support added at PAM release 4.1.2 leads to a password rotation issue ("PAM-CM 1341 Failed to establish a communication channel to remote host") for target  accounts on subset of  UNIX servers. 

 

Environment

Release : 4.1.2 and above

Cause

The affected UNIX servers allow ssh-ed25519 cryptographic key algorithm but did not fully support it. 

Note that the release of PAM version 4.1.2  added support of the ed25519 cryptographic key algorithm that is allowed but not fully supported by the affected UNIX devices. Please refer to the related PAM technical documentation page (under heading New Features and Enhancements in 4.1.2)  (Link - https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-2/release-information/new-features-and-enhancements-in-4-1-2.html).

Resolution

 To resolve this issue one can customize the UNIX target application to specify a subset of algorithms (as shown below) that doesn't include the new key algorithm (ssh-ed25519). 

 

Additional Information

None.

Powered by Wolken Software