000030939 - Problems with SFTP agent certificate exchange on Windows for RSA Security Analytics

Document created by RSA Customer Support Employee on Apr 10, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000030939
Applies ToRSA Product Set: RSA NetWitness Logs & Network; Security Analytics
RSA Product/Service Type: Security Analytics SFTP Agent, Log Collector, Core Appliance, Log Hybrid, All-in-One, Security Analytics UI
Platform: SFTP Agent running on Windows, Log Collector running on CentOS 6 Linux
IssueWhen attempting to configure the SFTP Agent on a Windows Server to send logs to Security Analytics Log Collector for File Collection following the instructions in the Security Analytics User Guide, errors similar to the example below is displayed.

Offered public key
Server refused our key
Server refused public key
No supported authentication methods left to try!
No supported authentications offered. Disconnecting
Server closed network connection
ssh_init: error during SSH connection setup
CauseAs instructed in the Private Key Issues section in the SFTP Agent Installation Guide, part of the resolution may be regenerating a new key pair using the puttygen.exe application.

Another reason may be that the sshd service on the appliance running the Log Collector service may be pointing to a different authorized_keys location.
The sshd service on the Log Collector running Security Analytics may have its keys in the /upload/.ssh/authorized_keys directory.

Updating the Event Source SSH Key via Security Analytics UI at version adds the public key to the /home/upload/.ssh/authorized_keys directory.
See the Security Analytics User Guide for more information.
WorkaroundTo resolve the issue, perform one of the workarounds below.

Workaround #1
Copy the new keys that were added via the Security Analytics UI to the appropriate directory on the Log Collector appliance and set the permissions.

cp /home/upload/.ssh/authorized_keys/* /upload/.ssh/authorized_keys/
chown sftp /upload/.ssh/authorized_keys
chmod 600 /upload/.ssh/authorized_keys

NOTE:  This can be done automatically by running the /etc/netwitness/ng/logcollector/lctwin script on the Log Collector appliance.

Workaround #2

  1. Edit the /etc/ssh/ssh_config file on the Log Collector appliance so that it includes the lines below.

    AuthorizedKeysFile  .ssh/authorized_keys
    AuthorizedKeysFile2  /upload/.ssh/authorized_keys

  2. Restart the sshd service to reflect the changes.

    service sshd restart