Cannot connect to RHEL9 servers using PAM's secureCRT /PuTTY service while succeed connecting to RHEL 7 and RHEL 8 servers using these services.
Article ID: 269848
Updated On:
Products
Issue/Introduction
Cannot connect to RHEL9 servers using secureCRT/PuTTY service while successful connections to other Linux servers such as RHEL 7 and RHEL 8 are possible.
On the RHEL9 Linux server the secure log in directorty /var/log may show errors like such for the time the secureCRT/PuTTY SSH connection was attempted. Attached is an example below of failure seen in the RHEL 9 Linux secure log (in directory /var/log/) indicating only Server Host Key available is ssh-rsa).
*** Intentionally masked the server name, port and server IP address below with "xxx"s ****
Jul 16 06:52:43 xxxxxxxxxxxxxx sshd[xxxxxx]: Unable to negotiate with xxx.xxx.xx port xxxxxx: no matching host key type found. Their offer: ssh-rsa [preauth].
Environment
Release : 4.1+
Cause
The Server Host Key list on the Configuration==>Security==>Cryptography (for SSH Proxy as well as Mindterm) page only included the ssh-rsa key, see the screenshot below. This was the default setting in PAM 4.1.1 and lower. If the settings were customized at 4.1.1, they would have persisted even after an upgrade to 4.1.2 or 4.1.3, where the default list was expanded. The screenshot is from a 4.1.3 server.
Resolution
If you are on 4.1.2+ already, you can get the expanded default list for that release by going back to "Use Default":
Step #1 - Save a screenshot of the non-default settings you were running with.
Step #2 - Check the "Use Default" to pick the suggested new PAM settings for connections. Clicking on "Update" to save the new settings for use for new connections. For example - please note that "Server Host Key" has newer options. Also, ensure that any additional settings you were running with are instated on top of these new Default settings.
Step #3 - Test by launching the secureCRT/PuTTY service to connect to your RHEL 9 server. The connection should succeed and you should see success footprints like such in secure log in directory /var/log of your RHEL 9 server.
Jul 16 06:55:44 xxxxxxxxxx sshd[29346]: Accepted password for xxx from xxxxxxxxxxx port xxxx ssh2
Jul 16 06:55:44xxxxxxxxxxx sshd[29346]: pam_unix(sshd:session): session opened for user xxxxx by xxxxxx
Step #4 - Test connections to other SSH servers to make sure the default settings don't cause a problem with other devices. If necessary, uncheck the "Use Default" checkbox again and make additional changes, such as adding ciphers or key exchange options that you had added in the past but got lost when going back to default settings.
If you are running PAM 4.1.1, the "Use Default" option will NOT bring additional server host keys in. Instead you have to click on the eye icon on the right to bring up the list of available keys, and then add e.g. the ecsda* keys and/or the ssh-ed25519 key to the list in the Server Host Key text box. Test the new settings with other devices as well to make sure your customizations don't cause problems with devices that worked with the old lists.
Additional Information
None.
Feedback
