Layer7 Privileged Access Management

Tech Tip - CA Privileged Access Manager: Issue with SSH access to Solaris via CA PAM 2.8.2

By wonsa03 posted 05-23-2017 11:38 PM

  

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 24th May 2017

 

14 comments
0 views

Comments

05-21-2018 02:11 PM

Then I understood it right. This is not working as designed. Please point that out in your support case and reference this thread.

05-21-2018 01:18 PM

I think its misunderstood, the connect fails on the scenario at 1st attempt, and when we click on SSH icon again, it connects successfully

05-21-2018 01:09 PM

I thought you said you can connect after the first attempt. Prior to the fix this would never have worked.

05-21-2018 12:54 PM

Thanks Ralf. Just to mention, There is no pop up screen, applet just opens and closes by itself and open ups again with blank black screen and it never connects. 3.2 doesn't have this fix.

05-21-2018 12:50 PM

Hi Bipin, The item you list is the problem that was fixed in 2.8.3. And your connections are working, so the fix is in the new release. The question is why you get a popup first. Please continue to work on this through the support case, not this community post.

05-21-2018 12:41 PM

Hi Ralf,

we already have ticket open and had triage sessions, but support says its a known issue with PAM where SSH session fails to connect on DH key size, but there is no resolution to it.

 

SSH Connections Fail for Some Server DH Key Sizes (DE274103)

Java currently only supports Diffie Hellman (DH) Key Agreement for key sizes that are multiples of 64 and in the range from 512 to 2048 (inclusive). If a server generates a DH key size that does not meet these criteria, Java throws an exception and the SSH connection fails.

05-21-2018 12:21 PM

Hi Bipin, I don't want to get into server side debugging here. Please open a support case where we can work with you on the details. Once done we can update this post with results.

05-21-2018 10:59 AM

This problem is only with built-in SSH applet. if I'm using external Putty device via TCP services than I never get this issue. And yes it works in subsequent attempts. I see the failure only in 1st attempt and logs says unusual key size of 2047. How to debug this at server side? can't we enable the same KEX methods in PAM to support target server configuration ?

05-21-2018 10:38 AM

Hi Bipin, There is no configuration option in PAM for this, if you are talking about the SSH applet failing. Why do you say "at 1st attempt”. Does that imply that it works on subsequent attempts? The problem back then had to do with the unusual key size used on Solaris servers, e.g. 2047 instead of the expected 2048. There was a fix in 2.8.3 to accommodate this. It should still be in place in 3.2. When the connection failed an alert popped up pointing to the key size. What error are you getting now? And do you have the same problem when you define a TCP service in PAM and use an external SSH client such as PuTTY to connect to the device through PAM rather than the built-in SSH applet?

05-21-2018 10:13 AM

We're also facing this issue with PAM 3.2 version. Solaris 10 servers are failing to connects at 1st attempt. 

 

what is the resolution for this ? can we change anything on PAM side to get it work ?

10-04-2017 10:47 AM

We are using the new thread to exchange information on the Linux target problem. This post here is specifically for Solaris devices.

10-04-2017 09:17 AM

I've posted a similar issue:

SSH access via CAPAM_2.8.3.02 

 

Is there any fix for Linux targets?

06-15-2017 09:50 AM

There are discussions about revising the solution so that the alert prompt shown above doesn't come up every time an end user connects to an affected target device. The alert is of interest to administrators, but may be confusing to end users.

05-24-2017 10:47 AM