There is a rather common situation when a cipher or kex mismatch between PAM and a final ssh device prevents login from happening
In this case access to a remote server, be it using Mindterm or a TCP service fails and- if anything- a window is presented showing that there was a mismatch of algorithms, trying to show a list of the algorithms offered for connection by the server and the ones offered by CA PAM
Alas, in general that window goes away and it is difficult to ascertain for sure the list of algorithms on one or the other side to understand where the mismatch is
This article presents an easy way to determine that order and a possible mismatch
CA PAM Releaser 4.0.X onwards
The easiest way to go is to obtain the list of algorithms supported for ssh connection from the remote machine by using the nmap command.
The following syntax will return all ssh algorithms and ciphers supported for connection to machine 1.2.3.4
nmap -sV -p 22 --script ssh2-enum-algos <<target server>>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-15 15:18 Romance Daylight Time
Nmap scan report for 1.2.3.4
Host is up (0.19s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (12)
| curve25519-sha256
| [email protected]
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (12)
| [email protected]
| aes128-ctr
| aes192-ctr
| aes256-ctr
| [email protected]
| [email protected]
| aes128-cbc
| aes192-cbc
| aes256-cbc
| blowfish-cbc
| cast128-cbc
| 3des-cbc
| mac_algorithms: (10)
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ [email protected]
80/tcp closed http
443/tcp closed https
902/tcp closed iss-realsecure
3389/tcp open ms-wbt-server
9080/tcp closed glrpc
MAC Address: 02:50:41:00:00:02 (Unknown)
This list of algorithms must then be compared to the different elements in the Configuration --> Security --> Cryptography screen in PAM, be it in the ssh mindterm tab (connection using applet) or ssh proxy one (connection using a tcp service)
There is two things to consider about this page:
*Out ot the box the Use Default option checkbox is selected. This means only the default algorithms, kex algorithms, etc will be selected. And these are generally much less than the full list. Unchecking this box will allow for each cipher item to see the full list of options available. If for a given item none of the default ones is in the list supported by the remote system, but once having removed the Default checbox and viewed the full list it is there, it can be added to the existing list, preferably at the beginning
* When PAM connects to ta remote system it does so using the data in the ciphers section in order. That is, if connection to server A uses algorithm B, but in the list of algorithms supported by PAM, algorithm B is at the bottom of the list, the product will attempt handshake first of all with all the previous algorithms before finally getting to algorithm B, and this may cause a timeout. In this case make sure the the first algorithm, cipher, etc obtained in the nmap command stands at the beginning of the list of ciphers in PAM
nmap is shipped or its rpm can be installed on most linux distributions.
Alternatively you can download it from www.nmap.org for Windows or MacOS as well.