|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.0.1
|Issue||After performing the hardening on the VLC, the sftp agent cannot connect to the VLC.|
On sftp agent, running psftp command produces following error:
C:\sasftpagent>psftp -i private.ppk -l sftp -v x.x.x.x
The SSH debug log /var/log/secure shows following error:
VLC sshd: pam_unix(sshd:account): expired password for user sftp (root enforced)
|Resolution||According to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/10Proc/Configure_STIG_Hardening_for_10.6_Updated_from_Earlier_Version, you must change all passwords on the system after running the hardening script. |
The trace log "pam_unix(sshd:account): expired password for user sftp (root enforced)" indicates that the password for user sftp need reset. So you must reset the password for sftp account on the VLC as follows:
1. SSH to VLC using a normal user account(After hardening, super user access to a host through SSH is blocked).
2. Switch to root account with command "su -" and provide root's password, or switch to root account with command "sudo su -" and provide normal user's password.
3. Run command "passwd sftp" and set a new password for the account sftp. Make sure the password is STIG compliant. To understand a STIG compliant password please refer to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/00_Intro
After resetting the sftp account's password, please try sftp connection again.
Also please note that SITG compliant require the user passwords to be changed at least every 60 days. The user sftp password is subject to this policy as well.
|Notes||How to enable SSH debug on SSH server side:|
1. On the CentOS log collector/decoder system, edit /etc/ssh/sshd_config.
2. At the very beginning of the file (i.e. at line number 1), add the following line to enable debug logs for SSHD service.
Save and quit the file.
3. Restart SSHD service with this command: service sshd restart
4. Execute this command: cp /var/log/secure secure1.txt
5. Then reproduce the issue exactly once by running the psftp command on your Windows system at C:\NICsftpagent. Note: It is important that you reproduce the issue exactly once here.
6. Execute this command on the CentOS system: diff -u secure1.txt /var/log/secure > secure.txt
7. After this experiment is complete, please provide the secure.txt file to RSA support.