000038003 - How to perform SSH login without password to Centos 6 in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Oct 15, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038003
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.3.1.0
 
Issue
From Netwitness 11.x, it can ssh login without a password to Centos 7 or other Netwitness appliances, but when it tries to Centos 6, it fails with the message 'sign_and_send_pubkey: signing failed: error in libcrypto'.
 



----------ssh to centos 7(packet decoder)----------
[root@sa-server ~]# ssh-keygen
[root@sa-server ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@pdecoder
[root@sa-server ~]# ssh pdecoder
FIPS mode initialized
Last login: Fri Sep 27 00:57:45 2019 from nw-node-zero
[root@pdecoder ~]#

----------ssh to centos 6----------
[root@sa-server ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@centos6
[root@sa-server ~]# ssh centos6
FIPS mode initialized
sign_and_send_pubkey: signing failed: error in libcrypto
root@centos6's password:

Last login: Fri Sep 27 01:57:40 2019 from 192.168.2.2
[root@centos6 ~]#

 

Cause



Following errors occurred in /var/log/messages



Sep 27 02:40:15 sa-server ssh[32183]: OWB:ERROR:RES:(crypto, SHA1_RSA (65), 0x2) not available in FIPS mode
Sep 27 02:40:15 sa-server ssh[32183]: OWB:ERROR:BSAFELIB:func(137):reason(109):b_rsa.c:416

 


Centos6 usually uses old version openssh package, so it doesn't support sha256 of fingerprinthash.
ResolutionAfter installing openssh 6.8 or higher version on Centos 6, it generates sha256 of ssh keys. And Netwitness 11 can login to Centos 6 without a password.

----------output of ssh-keygen in openssh 5.3p1----------
[root@centos6 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d1:af:a7:c5:f6:df:f4:9b:bd:a5:4c:fb:05:1d:4a:17 root@centos6
The key's randomart image is:
+--[ RSA 2048]----+
|               E |
|         .      .|
|        . .  . o |
|         . .. o..|
|        S   ... .|
|           o   . |
|          . = . +|
|           = + +B|
|          .   =*O|
+-----------------+
[root@centos6 .ssh]# 

----------output of ssh-keygen in openssh 7.3----------
[root@centos6 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WDdelQk0Xwof7anTWg0d5NLT11LF/sdRqvalstavzdo root@centos6
The key's randomart image is:
+---[RSA 2048]----+
|           .=.+*=|
|             *=**|
|        . o ..=OB|
|       o o o  ++*|
|      . S .  .oo+|
|            oo o*|
|           . o+o.|
|            o.++ |
|           ..oo+E|
+----[SHA256]-----+
[root@centos6 .ssh]# 

Attachments

    Outcomes