Privileged Account Manager 3.2
Privileged Account Manager 22.214.171.124
Privileged Account Manager 3.5
After upgrading to PAM 126.96.36.199 which introduces an upgraded OpenSSH (7.5p1) some ssh clients encounter a problem with connecting to the ssh-relay.
Something like, or similar to this will be seen, when using "ssh -vv ...":
debug1: rekey after 4294967296 blocks
debug2: key: /opt/CBKpwvc/.ssh/id_rsa (0)
debug2: key: /opt/CBKpwvc/.ssh/id_dsa (0)
debug2: key: /opt/CBKpwvc/.ssh/id_ecdsa (0)
debug2: key: /opt/CBKpwvc/.ssh/id_ed25519 (0)
debug3: send packet: type 5
Corrupted MAC on input.
On the ssh-relay server add the following to /opt/netiq/npum/service/local/sshrelay/etc/sshd_config:
This will make the sshd (ssh-relay) server tell the client that it would like to use the hmac-sha2-256 (preferably) and there after hmac-sha2-512, and so on. As the problem mac looks to be the "email@example.com" the client should find a working mac before reaching these.
A quick solution could be to use the following:
# ssh -t -m hmac-sha1 -p 2222 <user>@<ssh-relay server>
This will make connection to the ssh-relay server using the hmac-sha1 MAC.
It is not fully clear why this happens, a search reveals that this is not only seen in combination with PAM, also it is not see with all clients.