SSH host key under CA PAM cluster environment

Document ID : KB000112741
Last Modified Date : 03/09/2018
Show Technical Document Details
Introduction:
It appears to be related to which system we are connecting through via PAM to get to the end host login using Putty connection.

If we connect via node1 then putty shows the host key as being 53:f6:8c:cd:83:93:43:b0:de:47:bc:05:d0:1f:a8:1f  (this is a sample host key and may differ in your environment) and if we keep connecting via the same CA PAM node and same host then we are not prompted to accept the SSH host keys again.

However, if  we connect via node2, to the same target server from the same host (desktop) then we get the below message indicating that the host key has changed to 37x:78:xa:e9:83:54:7b:4xyz:95:8xx:d1:4e:9a:fc:7b:5yz (this SSH host key can be different in every deployment, this is only a sample used for illustration purpose).

If we keep connecting via this node2, and same host (desktop), we don’t have issues but  in case we connected via the node1 to the target host then we prompted for accepting the SSH host keys again. The host key's can be same or different as well.
Question:
Is this the expected behavior?
Is there any way in which it can be avoided?
Does this present as a security issue?
Environment:
CA PAM 3.x.x
This should be a CA PAM Cluster environment.
Answer:
This is the expected behaviour when connecting to *unix hosts from different CA PAM nodes that are part of the cluster.
This can't be changed, the users are expected to accept the SSH hosts key's while establishing the connection.
This does not pose any security threat to CA PAM application nor has any negative impact on the target devices.
While using a TCP/UDP service to launch an SSH client (PuTTY) to connect to target devices, in this case the client connects to the SSH proxy running on the PAM server, and the proxy connects to the target device. This is how it works. It allows us to do operations like command filtering and session recording.