PAM SSH Gateway Authentication – Windows-Side OpenSSH Key Pair Generation Issue
search cancel

PAM SSH Gateway Authentication – Windows-Side OpenSSH Key Pair Generation Issue

book

Article ID: 402931

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

User is unable to successfully authenticate via SSH Gateway to a target Unix account managed by PAM (Privileged Access Management) using SSH key authentication. Attempting using key generated on the Unix target side resulted in error messages such as “invalid format” and “permission denied”.

Environment

PAM 4.2.1+
Launching an SSH access method from a Web Browser on Windows.

Cause

The PAM user had copied an SSH key pair generated on the Linux target device to his Windows workstation, instead of creating his own SSH key pair.

The unique OpenSSH key pair discussed in this article is generated and used solely for authenticating the PAM user to the SSH Gateway on the PAM appliance(s)—not for direct authentication to the target Unix/Linux device itself. The SSH gateway acts as a secure intermediary. This key pair is completely decoupled from any target device credentials, target device accounts, or .ssh configuration on endpoints. What credentials are actually used to access the target device (for example, what account and password or key is used over SSH from PAM to the target) are defined within the PAM access policy and may have no relation whatsoever to the SSH key pair you generate on your client system.
The SSH key pair is unique to each PAM user and is only relevant for accessing the PAM-managed SSH Gateway. The naming of the keys should reflect the PAM user's identity (e.g., alice_ed25519), not the target account (such as root or admin), to avoid confusion.

Resolution

To resolve authentication failures, generate the Unique OpenSSH Format SSH key pair on the Windows client side, not on the Unix target account. Upload the public key to the user’s PAM profile, generate and download the Trusted User Certificate from PAM, and use only Windows-side key files. Unix-side .ssh files are not required by PAM for this authentication flow.

Step-by-Step Example Solution

Please, use always steps from official documentation from Configure the PAM Gateway for SSH (https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-2-2/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/pam-gateway-for-ssh.html). These steps
are always a sample so, before remove any file or modification test in your "Test" environment to not affect any Production environment.

1. Clean Up Old SSH Keys (Windows)

Delete or move the existing contents of your Windows .ssh folder.

2. Generate an OpenSSH Key Pair (Windows)

Open a Command Prompt and navigate to your .ssh directory.
Run:ssh-keygen


Follow the prompts (enter a filename and specify a passphrase).

3. Confirm Key Generation (Windows)

Ensure new key files (e.g., alice_ed25519 and alice_ed25519.pub) exist in the .ssh folder.

4. Copy Public Key Content

Display the public key contents with:type alice_ed25519.pub

Copy the complete string.

5. Upload the Public Key to PAM

Log in to the PAM UI.
Go to your user profile > Extended Identities tab.
Enter the name of your public key file and paste the copied public key value.

6. Save and Generate Trusted User Certificate

Click Save.
In PAM UI, navigate to Access, click the top-right icon, generate, and download your Trusted User Certificate (e.g., alice_ed25519-cert.pub), and save it to your Windows .ssh folder.

7. Connect Using New SSH Keypair and Certificate

In a Command Prompt (in .ssh dir), connect with the command provided by PAM:ssh -i alice_ed25519 alice@33001@[email protected]:[email protected] -p 22222


Enter your passphrase when prompted.

Directory Structure After Setup
Windows Side:
C:\Users\machine01_labs_user\Desktop\.ssh
    alice_ed25519
    alice_ed25519.pub
    alice_ed25519-cert.pub

8. If you created key pairs on the Unix target device just for the SSH gateway feature, you should clean them up as they are not needed by PAM. We don't want the same key pair to allow direct access to the target device.