Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033507 - SFTP collection not working after Hardening on VLC in RSA Security Analytics 10.6.0.1

Document created by RSA Customer Support

on Aug 4, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033507
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance RSA Version/Condition: 10.6.0.1 Platform: N/A
Issue	After performing the hardening on the VLC, the sftp agent cannot connect to the VLC. On sftp agent, running psftp command produces following error: C:\sasftpagent>psftp -i private.ppk -l sftp -v x.x.x.x Looking up host "x.x.x.x" Connecting to x.x.x.x port 22 Server version: SSH-2.0-OpenSSH_5.3 Using SSH protocol version 2 We claim version: SSH-2.0-PuTTY_Local:_Aug_13_2014_15:13:55 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange with hash SHA-256 Host key fingerprint is: ssh-rsa 2048 f6:a4:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:18 Initialised AES-256 SDCTR client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 SDCTR server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Reading private key file "private.ppk" Using username "sftp". Offered our public key null Offered public key Offer of public key accepted Authenticating with public key "rsa-key-20160610" Sent public key signature Access granted Opening session as main channel Opened main channel Started a shell/command Connected to x.x.x.x Fatal: Received unexpected end-of-file from SFTP server The SSH debug log /var/log/secure shows following error: ............................ VLC sshd[32408]: pam_unix(sshd:account): expired password for user sftp (root enforced) VLC sshd[32408]: debug3: PAM: sshpam_store_conv called with 1 messages VLC sshd[32408]: debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required) ............................ VLC sshd[32413]: debug3: channel 0: close_fds r -1 w -1 e -1 VLC sshd[32412]: debug3: Wrote 88 bytes for a total of 4269 VLC sshd[32412]: debug1: Received SIGCHLD.
Resolution	According to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/10Proc/Configure_STIG_Hardening_for_10.6_Updated_from_Earlier_Version, you must change all passwords on the system after running the hardening script. The trace log "pam_unix(sshd:account): expired password for user sftp (root enforced)" indicates that the password for user sftp need reset. So you must reset the password for sftp account on the VLC as follows: 1. SSH to VLC using a normal user account(After hardening, super user access to a host through SSH is blocked). 2. Switch to root account with command "su -" and provide root's password, or switch to root account with command "sudo su -" and provide normal user's password. 3. Run command "passwd sftp" and set a new password for the account sftp. Make sure the password is STIG compliant. To understand a STIG compliant password please refer to http://sadocs.emc.com/0_en-us/088_SA106/215_SysAdm/ConfigurSTIG/00_Intro After resetting the sftp account's password, please try sftp connection again. Also please note that SITG compliant require the user passwords to be changed at least every 60 days. The user sftp password is subject to this policy as well.
Notes	How to enable SSH debug on SSH server side: 1. On the CentOS log collector/decoder system, edit /etc/ssh/sshd_config. 2. At the very beginning of the file (i.e. at line number 1), add the following line to enable debug logs for SSHD service. LogLevel DEBUG3 Save and quit the file. 3. Restart SSHD service with this command: service sshd restart 4. Execute this command: cp /var/log/secure secure1.txt 5. Then reproduce the issue exactly once by running the psftp command on your Windows system at C:\NICsftpagent. Note: It is important that you reproduce the issue exactly once here. 6. Execute this command on the CentOS system: diff -u secure1.txt /var/log/secure > secure.txt 7. After this experiment is complete, please provide the secure.txt file to RSA support.

Attachments

Outcomes

0 Comments

Recommended Content