Lately I have been using the sftpagent quite a bit for moving log files to NetWitness. I have been running into the same issue on installs recently.
The issue happens on the first sftpagent agent connection to a log collector.
After installing the agent and creating a ssh key you need to run the following command to accept the log collector host key
psftp -i private.ppk -l sftp -v log_collector_IP_address
When that command runs it connects to the log collector and stores the host key.
After accepting the key and storing it you get the following error:
In checking the 'secure' log on the log collector you see:
The issue is that the 'sftp' account has expired. You need to change the password in order to activate the account.
This is done my issuing the following command
You will then be prompted to change the password. It does not matter what password you pick, although it should be documented. The sftpagent uses certificate authentication vs password auth, which is why it does not matter what you set the password to.
Once this is done you can rerun the "psftp -i private.ppk -l sftp -v log_collector_IP_address" command
You should see the following:
Once you see the "Access granted" line, you are good to continue setting up the sftpagent config.