SSH fails with mismatched ciphers

Document ID : KB000076636
Last Modified Date : 09/04/2018
Show Technical Document Details
Introduction:
Customer upgraded PAM from older version(2.6.4) to 2.8.3 and found they can no longer SSH to their linux machines.
The error being reported is mismatched ciphers.
From user's point of view, the SSH launches but does not appear to do anything without any specific signs of error.
 
Question:
PAM SSH (Mindterm or Putty Service) showing different behavior after upgrading PAM.
Mindterm fails to connect to target linux server while the Putty Service can.
How can I change the PAM side of ciphers to match the target linux server instead of changing the ciphers at the target server?
 
Environment:
PAM Upgraded from 2.6.4 to 2.8.3
Target device is Centos OS 5.x and 7.x
sshd.conf at the target device allows AES256-CTR, other ciphers have been disabled for security reasons.
 
Answer:
You will have to upgrade the PAM server to 2.8.4.1 as these versions works for both Mindterm and SSH.
The target device enforces strictly limited set of ciphers so the client(PAM) will have to use matching set of ciphers to handshake or it will fail to establish secure connection.
This cipher list is hardcoded so you will have to upgrade to newer version of PAM to fix this problem.