Recently we upgraded to PAM 3.3.x and 3.4.x, when connecting to a Unix/Linux Targets Devices in PAM we are getting the following error:
This used to work in our previous release
Release : 3.3.x, 4.x
Component : PRIVILEGED ACCESS MANAGEMENT
In PAM 3.3.x we document the following prerequisites:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/Upgrading-to-4-0-1/Upgrade-Prerequisites-for-4-0-1.html
Review Strong Cryptography on Cisco and UNIX Target Connectors and the SSH Access Method
Release 3.3 supports the latest recommended strong cryptography for secure SSH communications in the SSH Access Method, and in Cisco and UNIX target connectors. These target servers must support at least one of the security algorithms from each of the three categories that are listed here: Upgrade Prerequisites for 3.3.
If you are using Cisco or UNIX target connectors, or the SSH Access Method, upgrade the ciphers, kex, and hmacs information on the UNIX server and Cisco Router
before you upgrade to 3.3. For more information on upgrading ciphers, see your Unix server and Cisco Router documentation.
The error that you are receiving because the Device Target System doesn't have or support a cipher that we support.
In PAM 3.3.x and higher we updated our SSH Applet and removed SHA-1 support for SSH Access.
However not all functionality for SHA-1 was removed.
If you running PAM 3.3.x in Non-Fips mode, you can still use SHA-1 in conjunction with our Unix/Cisco Connectors.
These connectors are used for Password Management.
To put a little more perspective around this:
In PAM (Non-Fips) , we still have the following workarounds:
WARNING: In case if you choose "Application Protocol: Disabled", there would be "View Credential" button that would appear where users can view the username and password in clear-text.
Finally; to determine what ciphers you have implemented on your Unix/Linux System -> please use the following nmap commands:
nmap -p 22 --script ssh2-enum-algos <ip address>
This command will advise all security algorithms that the target system supports. These target servers must support at least one of the security algorithms from each of the three categories listed here:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/Upgrade-Prerequisites-for-3-4-3.html#concept.dita_e77c4804540e0635d652cc01a7e2e5ad07f3acef_ReviewStrongCryptographyonCiscoandUNIXTargetConnectorsandtheSSHAccessMethod
As of 3.3.4, PAM has added the ability to customize the SSH cipher suite used to connect. For more information, please refer to the documentation.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0/Upgrade-Prerequisites-for-3-4-3.html
This feature was also added to PAM 3.4.2:
https://knowledge.broadcom.com/external/article?articleId=204196