000038265 - SSH from RSA NetWitness Platform 11.X appliance to Reflection for Secure IT Server using public key authentication fails

Document created by RSA Customer Support Employee on Dec 30, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038265
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: All services
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
IssueReflection for Secure IT (RSIT) Server, a third-party software from Micro Focus, is an SSH server that provides secure file transfer and remote administration for UNIX/Windows servers.
It is part of the Reflection for Secure IT family of Secure Shell clients and servers for Windows and UNIX - all designed to protect data in motion.
See the following link for more details:
Reflection for Secure IT

Customers who have been using RSIT server in their environment may find that after upgrading NetWitness to 11.X, they are no longer able to SSH from any of the NetWitness appliances to the RSIT server via public key authentication method, when they had no such issues prior to the upgrade, i.e: 10.X.

If debug logging has been enabled on the RSIT server, when running the ssh command in maximum verbosity -vvv on a NetWitness appliance, it fails with the following error:

[root@nwsvr ~]# ssh -vvv -i ~/.ssh/id_rsa user@<RSIT Server IP>
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 (OwB:1.2.2.4 CCME:4.1.2.0)
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
...
...
debug3: sign_and_send_pubkey: RSA SHA256:ZE7o0TeYPHC4S42kl/Qt2a6c/cWNoycN4pTAIj58MVk
sign_and_send_pubkey: signing failed: error in libcrypto


At the same time, the following errors can be seen in /var/log/messages:


Dec 20 07:28:07 nwsvr ssh[173980]: OWB:ERROR:RES:(crypto, SHA1_RSA (65), 0x2) not available in FIPS mode
Dec 20 07:28:07 nwsvr ssh[173980]: OWB:ERROR:BSAFELIB:func(137):reason(109):b_rsa.c:416


 
ResolutionThis issue is likely to happen as FIPS mode is enabled on the 11.x platform.

As a workaround, prefix the ssh command with OWB_ALLOW_NON_FIPS=on when connecting to the RSIT server, i.e:

OWB_ALLOW_NON_FIPS=on ssh -i ~/.ssh/id_rsa user@<RSIT Server IP>


Sample output:

[root@nwsvr ~]# OWB_ALLOW_NON_FIPS=on ssh -vvv -i ~/.ssh/id_rsa root@172.24.200.156              
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 (OwB:1.2.2.4 CCME:4.1.2.0)
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
...
...
debug3: sign_and_send_pubkey: RSA SHA256:ZE7o0TeYPHC4S42kl/Qt2a6c/cWNoycN4pTAIj58MVk
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 172.24.200.156 ([172.24.200.156]:22)
...
...


 

Attachments

    Outcomes