Hi, I'm also facing similar issue SSH2 tab does not accept the 2 kex algorithms that are supported as per techdocs.
'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
Could this possibly be a bug?
I understand that the openssh client used by the target server needs an upgrade from v4.3 to atleast v5.x at a minimum to make this work. You can try this as an option.
------------------------------
Thanks,
SK
------------------------------
Original Message:
Sent: 10-16-2019 11:47 AM
From: Ralf Prigl
Subject: Pam 3.3 and old linux support
Hi Patricio, Like stated in my previous update already, the changes in the target application affect Credential Management, not device access. And I did answer your question already, see above: "For access your only option ..."
Original Message:
Sent: 10-16-2019 11:05 AM
From: Patrizio Begni
Subject: Pam 3.3 and old linux support
Hi Ralf, i've tryed to create a unix target application , specifing in SSH2 tab, under key exchange tab "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1", that seems is supported but when i'm trying to connect , pam still give me the key-ex error :
Couldn't agree on kex algorithm (our: 'ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256', peer: 'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1')
Other than creating a custom service (losing the session recording, the password management, etc...) , is there any way to remove that enforcement in pam 3.3 ?
thank you
Original Message:
Sent: 10-14-2019 09:29 AM
From: Ralf Prigl
Subject: Pam 3.3 and old linux support
Keep in mind that this is for Credential Management, not for target device access. For access your only option would be to define a TCP/UDP service with protocol Disabled, so that your SSH client will control the ciphers. You will not be able to record these sessions though.
Original Message:
Sent: 10-14-2019 06:57 AM
From: Reatesh Sanghi
Subject: Pam 3.3 and old linux support
Hello Patrizio Begni,
As per the product documentation....
Existing SHA-1 Algorithms for UNIX and Cisco Target Connectors When CA PAM is not operating in FIPS-mode, some SHA-1 hash algorithms remain available for use with the UNIX and Cisco target connectors. These SHA-1 algorithms include:
Hashes :
hmac-sha1, hmac-sha1-96
Key Exchange methods:
diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
You can disable the SHA-1 algorithms on the SSH-2 tab of the UNIX or Cisco target application configuration. For more information, go to
Add a Cisco Target Connector or
Add a UNIX?Target Connector. Read the instructions for the SSH-2 Tabs - Cipher, Hash, Key Exchange, Compression, Server Host Key.
You can look at the following too...
------------------------------
Principal Support Engineer
Broadcom
Original Message:
Sent: 10-14-2019 04:13 AM
From: Patrizio Begni
Subject: Pam 3.3 and old linux support
Hi, in order to support old linux distros (ssh sessions) , is there any way to re-enable the old cyper/alghoritm removed by latest version of PAM for all SSH access method, without creating a single target application for every linux server ?
For example re-enable the DH-group-exchange-sha1 or DH-group14-sha1 or DH-group1-sha1 , we are non running in FIPS mode .
thank you