Issue with SSH access to Solaris via CA PAM 2.8.2

Document ID : KB000007014
Last Modified Date : 30/10/2018
Show Technical Document Details

SSH access to Solaris via CA PAM 2.8.2 stops prior to the user login:

Initially reported for PAM 2.8.2. More recently observed with PAM 3.X as well.

This is a known issue with PAM 2.8.2 against older Solaris Operating System with SunSSH:

SSH Connections Fail for Some Server DH Key Sizes (DE274103) 

Java currently only supports Diffie Hellman (DH) Key Agreement for key sizes that are multiples of 64 and in the range from 512 to 2048 (inclusive). As a result, if a server generates a DH key size that does not meet these criteria, Java throws an exception and the SSH connection fails. 


The access issue caused by the previous fix will be addressed with CA PAM 2.8.3 release. 

When SSH access failed due to the DH key Size, PAM will retry with shorter length key size. 

For newer PAM releases this problem still may be observed, e.g. when a shorter key length is not available/accepted. The problem typically is resolved by updating the SSH server on the target device, e.g. to a recent OpenSSL version.