Determining algorithm evaluation order
search cancel

Determining algorithm evaluation order

book

Article ID: 268086

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

There is a rather common situation when a cipher or kex mismatch between PAM and a final ssh device prevents login from happening

In this case access to a remote server, be it using Mindterm or a TCP service fails and- if anything- a window is presented showing that there was a mismatch of algorithms, trying to show a list of the algorithms offered for connection by the server and the ones offered by CA PAM

Alas, in general that window goes away and it is difficult to ascertain for sure the list of algorithms on one or the other side to understand where the mismatch is

This article presents an easy way to determine that order and a possible mismatch

Environment

CA PAM Releaser 4.0.X onwards

Resolution

The easiest way to go is to obtain the list of algorithms supported for ssh connection from the remote machine by using the nmap command. 

The following syntax will return all ssh algorithms and ciphers supported for connection to machine 1.2.3.4

nmap -sV -p 22 --script ssh2-enum-algos <<target server>>

Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-15 15:18 Romance Daylight Time
Nmap scan report for 1.2.3.4
Host is up (0.19s latency).
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       curve25519-sha256
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (12)
|       [email protected]
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       [email protected]
|       [email protected]
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|       blowfish-cbc
|       cast128-cbc
|       3des-cbc
|   mac_algorithms: (10)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      [email protected]
80/tcp   closed http
443/tcp  closed https
902/tcp  closed iss-realsecure
3389/tcp open   ms-wbt-server
9080/tcp closed glrpc
MAC Address: 02:50:41:00:00:02 (Unknown)

This list of algorithms must then be compared to the different elements in the Configuration --> Security --> Cryptography screen in PAM, be it in the ssh mindterm tab (connection using applet) or ssh proxy one (connection using a tcp service)

There is two things to consider about this page:

*Out ot the box the Use Default option checkbox is selected. This means only the default algorithms, kex algorithms, etc will be selected. And these are generally much less than the full list. Unchecking this box will allow for each cipher item to see the full list of options available. If for a given item none of the default ones is in the list supported by the remote system, but once having removed the Default checbox and viewed the full list it is there, it can be added to the existing list, preferably at the beginning

* When PAM connects to ta remote system it does so using the data in the ciphers section in order. That is, if connection to server A uses algorithm B, but in the list of algorithms supported by PAM, algorithm B is at the bottom of the list, the product will attempt handshake first of all with all the previous algorithms before finally getting to algorithm B, and this may cause a timeout. In this case make sure the the first algorithm, cipher, etc obtained in the nmap  command stands at the beginning of the list of ciphers in PAM

Additional Information

nmap is shipped or its rpm can be installed on most linux distributions.

Alternatively you can download it from www.nmap.org for Windows or MacOS as well.