Symantec Privileged Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Pam 3.3 and old linux support

  • 1.  Pam 3.3 and old linux support

    Posted Oct 14, 2019 04:13 AM
    Edited by Patrizio Begni Oct 14, 2019 04:23 AM
    Hi, in order to support old linux distros (ssh sessions) , is there any way to re-enable the old cyper/alghoritm removed by latest version of PAM for all SSH access method, without creating a single target application for every linux server ?

    For example re-enable the DH-group-exchange-sha1 or DH-group14-sha1 or DH-group1-sha1 , we are non running in FIPS mode .

    thank you


  • 2.  RE: Pam 3.3 and old linux support
    Best Answer

    Broadcom Employee
    Posted Oct 14, 2019 06:57 AM
    Hello Patrizio Begni,

    As per the product documentation....

    Existing SHA-1 Algorithms for UNIX and Cisco Target Connectors When CA PAM is not operating in FIPS-mode, some SHA-1 hash algorithms remain available for use with the UNIX and Cisco target connectors. These SHA-1 algorithms include:
    • Hashes : 
      hmac-sha1, hmac-sha1-96
       
    • Key Exchange methods:
       diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1 
    You can disable the SHA-1 algorithms on the SSH-2 tab of the UNIX or Cisco target application configuration. For more information, go to Add a Cisco Target Connector or Add a UNIX?Target Connector. Read the instructions for the SSH-2 Tabs - Cipher, Hash, Key Exchange, Compression, Server Host Key.
    You can look at the following too...
    SSH-2 Tabs - Cipher, Hash, Key Exchange, Compression, Server Host Key
    Thanks,
    Reatesh.


    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 3.  RE: Pam 3.3 and old linux support

    Broadcom Employee
    Posted Oct 14, 2019 09:29 AM
    Keep in mind that this is for Credential Management, not for target device access. For access your only option would be to define a TCP/UDP service with protocol Disabled, so that your SSH client will control the ciphers. You will not be able to record these sessions though.
    Original Message


  • 4.  RE: Pam 3.3 and old linux support

    Posted Oct 16, 2019 11:05 AM
    Hi Ralf, i've tryed to create a unix target application , specifing in SSH2 tab, under key exchange tab "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1", that seems is supported but when i'm trying to connect , pam still give me the key-ex error :

    Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1')

     
    Other than creating a custom service (losing the session recording, the password management, etc...) , is there any way to remove that enforcement in pam 3.3 ? 

    thank you

     


    Original Message


  • 5.  RE: Pam 3.3 and old linux support

    Broadcom Employee
    Posted Oct 16, 2019 11:47 AM
    Hi Patricio, Like stated in my previous update already, the changes in the target application affect Credential Management, not device access. And I did answer your question already, see above: "For access your only option ..."
    Original Message


  • 6.  RE: Pam 3.3 and old linux support

    Posted Oct 17, 2019 11:27 AM
    Hi, I'm also facing similar issue SSH2 tab does not accept the 2 kex algorithms that are supported as per techdocs.
    'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
    Could this possibly be a bug?
    I understand that the openssh client used by the target server needs an upgrade from v4.3 to atleast v5.x at a minimum to make this work. You can try this as an option.

    ------------------------------
    Thanks,
    SK
    ------------------------------

    Original Message


  • 7.  RE: Pam 3.3 and old linux support

    Broadcom Employee
    Posted Oct 17, 2019 11:34 AM
    Hi,

    Please review the following knowledge document that I have published to clarify what we support on this topic:

    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=138429

    Regards,
    Kevin D.
    Original Message


  • 8.  RE: Pam 3.3 and old linux support

    Posted Oct 17, 2019 11:47 AM
    Edited by Patrizio Begni Oct 17, 2019 11:51 AM
    thank you Kevin, your and the Ralf answers have clarified all for me.

    BUT we have hundreds linux server that we can't upgrade to use sha2 with ssh, it could be very usefull to set an option in config page , to choose to enable or disable old ciphers.
    May the developer think about that ? i don't think that could be a problem for anyone in the world :)

    also ... in this sentence , is not specified that the old alghoritm will be available only for password rotating (credential management), it says for connectors , but is not true ...

    In addition, when 
    CA PAM
     is 
    not
     operating in FIPS-mode, some SHA-1 hash algorithms remain available for use with the UNIX and Cisco target connectors. If 
    CA PAM
     is in FIPS mode, these are not available. These SHA-1 algorithms include:
    • Hashes
      hmac-sha1, hmac-sha1-96
    • Key Exchange methods:
       
      diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1


    Original Message


  • 9.  RE: Pam 3.3 and old linux support

    Broadcom Employee
    Posted Oct 17, 2019 12:18 PM
    Target connectors are for password management, not for device access. The documentation is correct.
    Original Message


  • 10.  RE: Pam 3.3 and old linux support

    Broadcom Employee
    Posted Oct 17, 2019 12:34 PM

    Hi Patrizio,

    To clarify our documentation that you refer to -> it advises that if you implement a PAM FIPS version we cannot use the SHA-1 with our Cisco/Unix Connectors.  If you are running a Non-Fips version you can.

    To determine if you have FIPS/Non-Fips you can use the following knowledge document as well:

    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=131310

    Note - our connectors are for Credential (Password) Management and not SSH Access.

    Unfortunately all of the Unix OS's that still or only support SHA-1 SSH access are mostly older Operating Systems that are pretty much in an End-of-Life status.

    Having SHA-1, even in TLS 1.2, SSH access is considered insecure:

    https://www.cvedetails.com/cve/CVE-2005-4900/

    Therefore we removed this in the later versions of PAM.

    Regards,
    Kevin D.


    Original Message


  • 11.  RE: Pam 3.3 and old linux support

    Posted Oct 22, 2020 04:29 AM
    Hi all Broadcom employees !

    https://knowledge.broadcom.com/external/article?articleId=138429&_ga=2.220209944.1884317028.1603100317-1332573426.1580228197
    In that KB article I read:
    As of 3.3.4, PAM has added the ability to customize the SSH cipher suite used to connect. For more information, please refer to the documentation. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-3-4/release-information/New-Features-and-Enhancements-in-3_3_4.html This feature will be added to 3.4.x PAM in the future​
    This is really critical for most of our customers preparing to migrate to 3.4.x

    Is there a date for this feature to be ported to 3.4.x ?

    Thanks
    Paolo
    Original Message