Symantec Privileged Access Management

 View Only
  • 1.  PAM Version is 4.1.1.181 and ssh-rsa with RHEL9

    Posted Jan 23, 2023 03:30 AM

    Hi to all,

    I have  PAM Version is 4.1.1.181 and I tried to configure a new target machine with RHEL9

    When I try to connect with ssh trough pam ssh proxy the connection close before showing login message. On server side I receive:

    no matching host key type found. Their offer: ssh-rsa (preauth)

    On PAM SSH Proxy and SSH Mindterm are using default value.

    It seems that the protocol offered by PAM does not like the server. By the way I know that ssh-rsa signature scheme has been deprecated since OpenSSH 8.8 which was released in 2021.

    As workaround I created a new services withh target port 22 and Application protocol "disabled" to have a "raw tcp tunnel" and in this case it work. But in this way I cannot record sessions and I think that it is a bad non-performant way.

    Have any of you had this problem? How did you solve it?
    Is there any patch for PAM ? Can I change the encryption options in "SSH PROXY" to add more? (I honestly think that now there are stronger ones available for the openssh version on pam, so I cannot resolve)

    Thanks in advance
    Marco



  • 2.  RE: PAM Version is 4.1.1.181 and ssh-rsa with RHEL9
    Best Answer

    Broadcom Employee
    Posted Jan 23, 2023 10:52 AM
    Hi Marco, Did you try to customize the SSH Proxy settings on the Configuration > Security > Cryptography > SSH Proxy page? When you uncheck the "Use Default" option and click on the eye icon to the right of the Server Host Key text box, you will find a list of other choices that you can enable.


  • 3.  RE: PAM Version is 4.1.1.181 and ssh-rsa with RHEL9

    Posted Jan 23, 2023 11:05 AM
    Hi,

    I resolved (thanks to Merce Solomon) adding missing Service Host Key  in PAM Configuration (SSH Proxy).
    By default there was only ssh-rsa.

    Marco


  • 4.  RE: PAM Version is 4.1.1.181 and ssh-rsa with RHEL9

    Posted Jan 23, 2023 11:07 AM
    so Merce's suggestion is the same as you gave me! Anyway Thanks Rafl!


  • 5.  RE: PAM Version is 4.1.1.181 and ssh-rsa with RHEL9

    Broadcom Employee
    Posted Jan 23, 2023 11:09 AM
    Ok, thanks for documenting it here.