SSH Decryption Supported Key exchange algorithms (KEX) and Host Key Algorithms when seeing 'decrypt-unsupport-param' as the session end reason
Symptom
SSH connections are not successful when enabling decryption for SSH sites (SSH Proxy). Where the Session end-reason is 'decrypt-unsupport-param'
Example of SSH session end-reason of 'decrypt-unsupport-param'
> show session id 512455
Session 512455
c2s flow:
source: 10.10.10.78 [TRUST]
dst: 52.224.xx.xx
proto: 6
sport: 62222 dport: 22
state: INIT type: FLOW
src user: paloalto\test
dst user: unknown
s2c flow:
source: 52.224.xx.xx [UNTRUST]
dst: 10.10.10.78
proto: 6
sport: 22 dport: 4422
state: INIT type: FLOW
src user: unknown
dst user: paloalto\test
start time : Wed Nov 14 12:03:07 2024
timeout : 15 sec
total byte count(c2s) : 1572
total byte count(s2c) : 858
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 5
vsys : vsys1
application : ssh
rule : SSH
service timeout override(index) : False
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source + destination
nat-rule : NAT-RULE-1(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/2
session QoS rule : N/A (class 4)
tracker stage firewall : TCP FIN
end-reason : decrypt-unsupport-paramEnvironment
PANOS-10.0 and Later
Cause
SSH Decryption Supported Key exchange algorithms (KEX) and Host Key Algorithms when seeing 'decrypt-unsupport-param' as the session end reason.
The session end reason is giving 'decrypt-unsupport-param' as the error message. From the working pcaps when decryption is not enabled we see the ssh server sending 'Key Exchange (method:diffie-hellman-group14-sha1)' as the Key exchange algorithm. From my research it looks like we currently only support the following Key exchange algorithms (KEX):
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1
For some reason we do not list supported KEX algorithms in the online documentation. We do mention the 'Host' Key Algorithms SSH-RSA (2048-bit) & SSH-DSS (2048-bit), but not the KEX algorithms:
https://docs.paloaltonetworks.com/compatibility-matrix/reference/supported-cipher-suites/cipher-suites-supported-in-pan-os-10-2/cipher-suites-supported-in-pan-os-10-2-decryption#idf5ea9a25-3f5c-47d7-90f7-51c7a93696b4
If you would like we can run the debug flow basic, proxy basic, ssl basic during a test to confirm the above. Otherwise you will need to make a decryption exception at least for those ssh servers
To verify what SSH destination servers are using take a packet capture from the end user's computer while not decrypting and on the packet line named 'Server: Diffie-Hellman Group Exchange Reply' and in the Packet Details window in Wireshark expand the 'SSH Protocol' and expand the 'Key Exchange' and note the KEX after the word 'method' as seen in the screenshot below. In this example the SSH server is showing it uses 'Key Exchange (method:diffie-hellman-group-exchange-sha256)' and the KEX host key is 'KEX host key (type: ssh-rsa)':
Resolution
Make a non-decrypt policy for SSH destinations servers that do not support or have the following enabled:
PA supported Key exchange algorithm.
1. diffie-hellman-group-exchange-sha256
2. diffie-hellman-group-exchange-sha1
PA supported host key algorithm.
1. ssh-rsa
2. ssh-dss