Then I understood it right. This is not working as designed. Please point that out in your support case and reference this thread.
I think its misunderstood, the connect fails on the scenario at 1st attempt, and when we click on SSH icon again, it connects successfully
I thought you said you can connect after the first attempt. Prior to the fix this would never have worked.
Thanks Ralf. Just to mention, There is no pop up screen, applet just opens and closes by itself and open ups again with blank black screen and it never connects. 3.2 doesn't have this fix.
Hi Bipin, The item you list is the problem that was fixed in 2.8.3. And your connections are working, so the fix is in the new release. The question is why you get a popup first. Please continue to work on this through the support case, not this community post.
we already have ticket open and had triage sessions, but support says its a known issue with PAM where SSH session fails to connect on DH key size, but there is no resolution to it.
Java currently only supports Diffie Hellman (DH) Key Agreement for key sizes that are multiples of 64 and in the range from 512 to 2048 (inclusive). If a server generates a DH key size that does not meet these criteria, Java throws an exception and the SSH connection fails.
Hi Bipin, I don't want to get into server side debugging here. Please open a support case where we can work with you on the details. Once done we can update this post with results.
This problem is only with built-in SSH applet. if I'm using external Putty device via TCP services than I never get this issue. And yes it works in subsequent attempts. I see the failure only in 1st attempt and logs says unusual key size of 2047. How to debug this at server side? can't we enable the same KEX methods in PAM to support target server configuration ?
Hi Bipin, There is no configuration option in PAM for this, if you are talking about the SSH applet failing. Why do you say "at 1st attempt”. Does that imply that it works on subsequent attempts? The problem back then had to do with the unusual key size used on Solaris servers, e.g. 2047 instead of the expected 2048. There was a fix in 2.8.3 to accommodate this. It should still be in place in 3.2. When the connection failed an alert popped up pointing to the key size. What error are you getting now? And do you have the same problem when you define a TCP service in PAM and use an external SSH client such as PuTTY to connect to the device through PAM rather than the built-in SSH applet?
We're also facing this issue with PAM 3.2 version. Solaris 10 servers are failing to connects at 1st attempt.
what is the resolution for this ? can we change anything on PAM side to get it work ?
We are using the new thread to exchange information on the Linux target problem. This post here is specifically for Solaris devices.
I've posted a similar issue:
SSH access via CAPAM_2.8.3.02
Is there any fix for Linux targets?
There are discussions about revising the solution so that the alert prompt shown above doesn't come up every time an end user connects to an affected target device. The alert is of interest to administrators, but may be confusing to end users.
Thank you for sharing this tip with the community Kelly!
Tech Tip - CA Privileged Access Manager: Issue with SSH access to Solaris via CA PAM 2.8.2