000039344 - Enable SSH using the command line on RSA Authentication Manager 8.4 and up

Document created by RSA Customer Support Employee on Sep 29, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039344
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4, 8.5
IssueThis article provides commands to enable or disable SSH to the RSA Authentication Manager server using command line on 8.4 and up.
ResolutionBefore enabling SSH

You first must connect to the RSA SecurID appliance using a monitor and USB keyboard that is directly connected to the appliance. Access can also be gained from a VMware console. Commands are as follows:
  1. Launch an SSH client, such as PuTTY.
  2. Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.
  3. When prompted, sudo to root and enter the password again.
During Quick Setup, another username may have been selected. Use that username to log in.


Login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Sep 22 07:22:45 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@bharatham85:~> sudo su - root
rsaadmin's password: <enter operating system password>


Enable SSH to the server


Run the following commands to enable SSH:


rsaadmin@bharatham85:~> sudo systemctl start sshd
[sudo] password for rsaadmin: <enter operating system password>
rsaadmin@bharatham85:~>


Update iptables 




rsaadmin@bharatham85:~> vim /etc/sysconfig/iptables

Add the following entry. 


-A sshd -i eth0 -p tcp --dport 22 -j ACCEPT


Disable SSH to the server.
Run the following commands to disable SSH:

rsaadmin@bharatham85:~> sudo systemctl stop sshd
[sudo] password for rsaadmin: <enter operating system password>
rsaadmin@bharatham85:~>


 
NotesTo check if the sshd service is running, type the command below:

rsaadmin@bharatham85:~> sudo systemctl status sshd
[sudo] password for rsaadmin: <enter operating system password>
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-08-06 14:37:12 EDT; 1 months 9 days ago
Main PID: 6826 (sshd)
    Tasks: 1
   CGroup: /system.slice/sshd.service
           └─6826 /usr/sbin/sshd -D

Sep 09 09:19:20 bharatham85 sshd[31210]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 41487 ssh2
Sep 09 13:36:48 bharatham85 sshd[5400]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 47328 ssh2
Sep 10 11:28:29 bharatham85 sshd[31639]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 3386 ssh2
Sep 11 08:01:27 bharatham85 sshd[18316]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 19136 ssh2
Sep 11 11:30:02 bharatham85 sshd[21640]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 22273 ssh2
Sep 14 13:40:01 bharatham85 sshd[20665]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 20971 ssh2
Sep 15 07:50:53 bharatham85 sshd[4777]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 36417 ssh2
Sep 15 08:23:24 bharatham85 sshd[5268]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.2.102 port 36998 ssh2
Sep 15 08:30:08 bharatham85 systemd[1]: Started OpenSSH Daemon.
Sep 15 08:43:12 bharatham85 systemd[1]: Started OpenSSH Daemon.
rsaadmin@bharatham85:~>


Example; iptables - secure shell is enabled:

rsaadmin@bharatham85:~> sudo iptables -L | grep ssh
[sudo] password for rsaadmin: <enter operating system password>
sshd       all  --  anywhere             anywhere
Chain sshd (1 references)
ACCEPT     tcp  --  anywhere             bharatham85.vcloud.local  tcp dpt:ssh
rsaadmin@bharatham85:~>


Example; iptables - secure shell is disabled.

rsaadmin@bharatham85:~> sudo iptables -L | grep ssh
[sudo] password for rsaadmin: <enter operating system password>
sshd all -- anywhere anywhere
Chain sshd (1 references)
rsaadmin@bharatham85:~>


Where secure shell access is not enabled in iptables then we can temporarily turn off iptables with the command: sudo systemctl stop iptables

Example:

rsaadmin@bharatham85:~> sudo systemctl stop iptables
[sudo] password for rsaadmin:
rsaadmin@bharatham85:~> sudo systemctl status iptables
[sudo] password for rsaadmin:
● iptables.service - LSB: iptables
Loaded: loaded (/etc/init.d/iptables; bad; vendor preset: disabled)
Active: inactive (dead) since Wed 2020-01-22 08:56:15 AEDT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 61611 ExecStop=/etc/init.d/iptables stop (code=exited, status=0/SUCCESS)
Process: 61590 ExecStart=/etc/init.d/iptables start (code=exited, status=0/SUCCESS)

Jan 22 08:55:36 bharatham85 systemd[1]: Starting LSB: iptables...
Jan 22 08:55:36 bharatham85 iptables[61590]: Starting iptables ..done
Jan 22 08:55:36 bharatham85 systemd[1]: Started LSB: iptables.
Jan 22 08:56:15 bharatham85 systemd[1]: Stopping LSB: iptables...
Jan 22 08:56:15 bharatham85 iptables[61611]: Stopping iptables ..done
Jan 22 08:56:15 bharatham85 systemd[1]: Stopped LSB: iptables.
rsaadmin@bharatham85:~>


 

Attachments

    Outcomes