000033507 - SFTP collection not working after Hardening on VLC in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 4, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033507
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition:
Platform: N/A
IssueAfter performing the hardening on the VLC, the sftp agent cannot connect to the VLC.
On sftp agent, running psftp command produces following error:
C:\sasftpagent>psftp -i private.ppk -l sftp -v x.x.x.x
Looking up host "x.x.x.x"
Connecting to x.x.x.x port 22
Server version: SSH-2.0-OpenSSH_5.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Local:_Aug_13_2014_15:13:55
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 f6:a4:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:18
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Reading private key file "private.ppk"
Using username "sftp".
Offered our public key null
Offered public key
Offer of public key accepted
Authenticating with public key "rsa-key-20160610"
Sent public key signature
Access granted
Opening session as main channel
Opened main channel
Started a shell/command
Connected to x.x.x.x
Fatal: Received unexpected end-of-file from SFTP server

The SSH debug log /var/log/secure shows following error:
VLC sshd[32408]: pam_unix(sshd:account): expired password for user sftp (root enforced)
VLC sshd[32408]: debug3: PAM: sshpam_store_conv called with 1 messages
VLC sshd[32408]: debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required)
VLC sshd[32413]: debug3: channel 0: close_fds r -1 w -1 e -1
VLC sshd[32412]: debug3: Wrote 88 bytes for a total of 4269
VLC sshd[32412]: debug1: Received SIGCHLD.
ResolutionAccording to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/10Proc/Configure_STIG_Hardening_for_10.6_Updated_from_Earlier_Version, you must change all passwords on the system after running the hardening script. 
The trace log "pam_unix(sshd:account): expired password for user sftp (root enforced)" indicates that the password for user sftp need reset. So you must reset the password for sftp account on the VLC as follows:
1. SSH to VLC using a normal user account(After hardening, super user access to a host through SSH is blocked).
2. Switch to root account with command "su -" and provide root's password, or switch to root account with command "sudo su -" and provide normal user's password.
3. Run command "passwd sftp" and set a new password for the account sftp. Make sure the password is STIG compliant. To understand a STIG compliant password please refer to  http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/00_Intro
After resetting the sftp account's password, please try sftp connection again.
Also please note that SITG compliant require the user passwords to be changed at least every 60 days. The user sftp password is subject to this policy as well. 
NotesHow to enable SSH debug on SSH server side:
1. On the CentOS log collector/decoder system, edit /etc/ssh/sshd_config. 
2. At the very beginning of the file (i.e. at line number 1), add the following line to enable debug logs for SSHD service. 
LogLevel DEBUG3 
Save and quit the file. 
3. Restart SSHD service with this command: service sshd restart 
4. Execute this command: cp /var/log/secure secure1.txt 
5. Then reproduce the issue exactly once by running the psftp command on your Windows system at C:\NICsftpagent. Note: It is important that you reproduce the issue exactly once here. 
6. Execute this command on the CentOS system: diff -u secure1.txt /var/log/secure > secure.txt 
7. After this experiment is complete, please provide the secure.txt file to RSA support.