Symantec Privileged Access Management

Hello all

We have a problem with local SSh client (specifically MobaXterm).

We have a long delay (about 20 seconds) in the connection. Using a -vvv switch with the MobaXterm command line we see that it stops at the following part of the SSH handshake

 

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: server->client aes128-ctr hmac-sha1 zlib@openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1 zlib@openssh.com

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-rsa SHA256:XXXXXXXX

debug1: Forcing accepting of host key for loopback/localhost.

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

After 20 seconds it goes on with the rest of the SSH handshake.

 

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/mobaxterm/.ssh/id_rsa (0x0),

debug2: key: /home/mobaxterm/.ssh/id_dsa (0x0),

debug2: key: /home/mobaxterm/.ssh/id_ecdsa (0x0),

debug2: key: /home/mobaxterm/.ssh/id_ed25519 (0x0),

debug1: Enabling compression at level 6.

debug1: Authentication succeeded (none).

Authenticated to 127.0.0.1 ([127.0.0.1]:49700).

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug1: Entering interactive session.

debug2: callback start

debug2: x11_get_proto: /bin/xauth  list 127.0.0.1:0.0 2>/dev/null

debug1: Requesting X11 forwarding with authentication spoofing.

debug2: channel 0: request x11-req confirm 1

debug2: fd 3 setting TCP_NODELAY

debug3: ssh_packet_set_tos: set IP_TOS 0x10

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug2: channel 0: request shell confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel_input_status_confirm: type 99 id 0

debug2: X11 forwarding request accepted on channel 0

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

When the MobaXterm isn't already running (and it looks like there's an additional delay to launch the MobaXterm) it stops at

 

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

and after a couple of minutes MobaXterm closes and we get an error from PAM:

"PAM-CMN-1063: Proxy was not launched because the user failed to correctly respond to the pop up in time."

When we use the Mindterm applet there's a delay but lower (say 4-5 seconds) and the connection is correctly established.

What may be the cause of this strange behaviour ?

Is there any difference between a connection originated in the applet and one originated using the local client ? 

Thanks

Paolo

Update: on server side we see the following:

 

Dec  6 17:19:19 XXXX sshd[13193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=Z.Z.Z.Z user=YYYY

Dec  6 17:19:19 XXXX sshd[13193]: pam_sss(sshd:auth): User info message: Your password will expire in 5 day(s).

Dec  6 17:19:19 XXXX sshd[13193]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=Z.Z.Z.Z user=YYYY

Dec  6 17:19:19 XXXX sshd[13193]: Accepted password for YYYY from Z.Z.Z.Z port 52584 ssh2

Dec  6 17:19:20 XXXX sshd[13193]: pam_unix(sshd:session): session opened for user YYYY by (uid=0)

Dec  6 17:19:25 XXXX sshd[13193]: pam_unix(sshd:session): session closed for user YYYY

Any idea ?

Thanks

Paolo

The server side log is related to the session where the MobaXterm fails to connect.