Cannot connect to RHEL9 servers using PAM's secureCRT /PuTTY service while succeed connecting to RHEL 7 and RHEL 8 servers using these services.
search cancel

Cannot connect to RHEL9 servers using PAM's secureCRT /PuTTY service while succeed connecting to RHEL 7 and RHEL 8 servers using these services.

book

Article ID: 269848

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Cannot connect to RHEL9 servers using secureCRT/PuTTY service while successful connections to other Linux servers such as RHEL 7 and RHEL 8 are possible. 

On the RHEL9 Linux server the secure log in directorty /var/log may show errors like such for the time the secureCRT/PuTTY SSH connection was attempted. Attached is an example below of failure seen in the RHEL 9 Linux secure log  (in directory /var/log/) indicating only Server Host Key available is ssh-rsa).

*** Intentionally masked the server name, port  and server IP address below with "xxx"s ****
Jul 16 06:52:43 xxxxxxxxxxxxxx  sshd[xxxxxx]: Unable to negotiate with xxx.xxx.xx port xxxxxx: no matching host key type found. Their offer: ssh-rsa [preauth].

Environment

Release : 4.1+

Cause

The Server Host Key list on the Configuration==>Security==>Cryptography (for SSH Proxy as well as Mindterm) page only included the ssh-rsa key, see the screenshot below. This was the default setting in PAM 4.1.1 and lower. If the settings were customized at 4.1.1, they would have persisted even after an upgrade to 4.1.2 or 4.1.3, where the default list was expanded. The screenshot is from a 4.1.3 server.

 

Resolution

If you are on 4.1.2+ already, you can get the expanded default list for that release by going back to "Use Default":

Step #1 - Save a screenshot of the non-default settings you were running with.

Step #2 - Check the "Use Default" to pick the suggested new  PAM settings for connections. Clicking on "Update" to save the new settings for use for new connections. For example - please note that "Server Host Key" has newer  options. Also, ensure that any additional settings you were running with are instated on top of these new Default settings.

Step #3 - Test by launching the secureCRT/PuTTY service to connect to your RHEL 9 server.  The connection should succeed and you should see success footprints like such in secure log in directory /var/log of your RHEL 9 server.

Jul 16 06:55:44 xxxxxxxxxx sshd[29346]: Accepted password for xxx from xxxxxxxxxxx  port xxxx ssh2
Jul 16 06:55:44xxxxxxxxxxx  sshd[29346]: pam_unix(sshd:session): session opened for user xxxxx by xxxxxx

Step #4 - Test connections to other SSH servers to make sure the default settings don't cause a problem with other devices. If necessary, uncheck the "Use Default" checkbox again and make additional changes, such as adding ciphers or key exchange options that you had added in the past but got lost when going back to default settings.

 

If you are running PAM 4.1.1, the "Use Default" option will NOT bring additional server host keys in. Instead you have to click on the eye icon on the right to bring up the list of available keys, and then add e.g. the ecsda* keys and/or the ssh-ed25519 key to the list in the Server Host Key text box. Test the new settings with other devices as well to make sure your customizations don't cause problems with devices that worked with the old lists.

Additional Information

None.