• State Not Answered
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 4842 views
  • Users 0 members are here
Options
Related

Safeguard SPP : Fail To check SSH Key.

hamza bennani
over 3 years ago

Dears,

Could you help me please understand what happen when i try to check SSH key in Safeguard SPP as i always get an error message saying this :

"SSH Server on asset Oracle Linux is configured to run the authorized key command none as account 0

Unable to check SSH Key for account "Account1" on asset Oracle due to an error."

I think maybe safeguard service account is unable to use or run the authorizedkeycommand found in the /etc/ssh/sshd_config file :

#AuthorizedKeysCommand none  (i actually don't know what should be placed here in order for safeguard service account to check SSH Key) ??

#AuthorizedKeysCommandUser none (i presume that i need to put the Safeguard Service Account Name here) ??

What should be set in the /etc/ssh/sshd_config in order for Safeguard to check SSH Keys and specially in the AuthorizedKeyCommand fields.

Please note athat i'm able to Set and Change SSH Keys and Passwords Successfully through the same Safeguard Service Account.

I'm working on a Linux asset : Oracle Linux (OL7) Distribution.

Thank you for your help.

  • 0 over 3 years ago

    Hi Hamza,

    Safeguard does not require AuthorizedKeysCommand (if you do not use it) to be enabled for the check SSH Key task to work.

    When performing Check SSH Key > Click on the eye icon > click Show More > please check the Operations and\or sshCommunication tabs for more detailed logs. 

    Thanks!

  • 0 over 3 years ago in reply to Tawfiq.Ahmad

    Thank you Ahmad for your reply,

    Here's the sshCommunication Logs, please note that i'm using an account service named : sfg-svc :

    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:17 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:17 AM Debug Send : sudo test -f '/etc/ssh/sshd_config'; echo "SshdConfigPath=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("SshdConfigPath=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo test -r '/etc/ssh/sshd_config'; echo "IsPathReadable=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("IsPathReadable=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo sshd -T | grep -o -i "^UseDNS.*" >/dev/null 2>&1; echo "DnsUsageConfigured=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("DnsUsageConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : res=`sudo sshd -T | grep -o -i "^UseDNS.*" 2>/dev/null | awk '{print $2}'`; echo UseDns=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("UseDns=no
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" >/dev/null 2>&1; echo "PubKeyAuthConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubKeyAuthConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" 2>/dev/null | awk '{print $2}'`; echo PubkeyAuth=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubkeyAuth=yes
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80  | grep -o -i "^AuthorizedKeysFile.*" >/dev/null 2>&1; echo "KeystoreTemplateConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("KeystoreTemplateConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^AuthorizedKeysFile.*" 2>/dev/null | awk '{$1=""; print $0}'`; echo KeystoreTemplate=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("KeystoreTemplate= .ssh/authorized_keys
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandConfigured=$?"
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommandConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" 2>/dev/null | awk '{print $2}'`; echo AuthorizedKeysCommand=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommand=none none
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUserConfigured=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUserConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUser=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUser=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo none
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("**secret**"))
    Friday, October 23, 2020 10:11:21 AM Debug Send : res=`sudo grep -o -i "^Match Host.*" '/etc/ssh/sshd_config' >/dev/null 2>&1`; echo "matchHostConfigured=$?"
    Friday, October 23, 2020 10:11:22 AM Debug RECV buf(("
    "))
    Friday, October 23, 2020 10:11:23 AM Debug RECV buf(("Sorry, try again.
    SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:23 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:24 AM Debug RECV buf(("
    sudo: none: command not found
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -r '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : res=`sudo cat /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null`; echo "Keys=${res}"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("Keys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIj6kOLXbCUAbw0tbx7IX7VYl2BwRcMSkFKYnk4wBldm/iNHXkVOjIUpE6mmzBKtBdPADfbt3gSeqe9tJW2rnw1BymzsRbPej8FpCXsKbqL382YWdd5i9yb1khgK5Wt/gBY0guvHy+Cz4pkXNEYhx+fkDWLlx1um2CyZt71vPJXRM9XnsL5Hx7qVfHWxqcdroWJ2Dz8DuBm3IRSeDoTACbaFf/1BvPdXp27ckPGN8JId8Exu7GgAoFXWN2tcIWqJXL14MEHRn+yeOBnC/pr8HuFVJHpPkA9AwtKtekqfNA3NSXKzfR7P+pUbyei3QzSCnCDofg8BApOFkjsTKuspsh Safeguard generated on 2020-10-14T11:32:59.5408072Z
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "KeystoreIsAFile=$?"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("KeystoreIsAFile=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : res=`sudo ls -l /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null | awk '{print $0}'`; echo KeystorePermissions=${res}
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:45 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:46 AM Debug RECV buf(("
    KeystorePermissions=
    [sfg-svc@oralnx ~]$ "))

  • 0 over 3 years ago in reply to Tawfiq.Ahmad

    Thank you Ahmad for you reply,

    Here's the a fraction of the operation logs i got from the error message:

    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Debug Function "CheckSshKeystorePermissions" return result Error
    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Debug Function "CheckAuthKey" return result Error
    Friday, October 23, 2020 10:11:46 AM Debug Function return variable ["CheckAuthKeyResult"]: "invalid expression: PermissionsList[0]"
    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Information An error was thrown in the try block: "invalid expression: PermissionsList[0]"
    Friday, October 23, 2020 10:11:46 AM Debug Executing catch block
    Friday, October 23, 2020 10:11:46 AM Debug Executing catch block
    Friday, October 23, 2020 10:11:46 AM Debug Executing "Throw" component
    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Information Block returned error state
    Friday, October 23, 2020 10:11:46 AM Debug Function "UnixShellCheckAuthorizedKey" return result Error
    Friday, October 23, 2020 10:11:46 AM Debug Function return variable ["Result"]: "Unable to validate the authorized key"

    i've checked the authorized_keys file permission and it's correct: 600 for the managed ssh key user.

     Thank you.

  • 0 over 3 years ago in reply to hamza bennani

    As per your request i've checked the sshCommunication logs and what i found is that Safeguard is trying to run none as AuthorizedKeysCommand :

    Friday, October 23, 2020 10:11:24 AM Debug RECV buf(("
    sudo: none: command not found

    and then there's a KeyStorePermission errors i've found in the operation logs :

    Debug Function "CheckSshKeystorePermissions" return result Error

    Debug Function "UnixShellCheckAuthorizedKey" return result Error
    Debug Function return variable ["Result"]: "Unable to validate the authorized key"

    i've double checked the authorized_keys file of the specified user and it's 600 and 700 for the .ssh folder,


    Thank you.


  • 0 over 3 years ago in reply to hamza bennani

    - Check permissions on the account's Home directory as well /home/account1
    - Check the sshd configuration file (usually /etc/ssh/sshd_config). Specifically, check that PubKeyAuthentication is set to yes and that AuthorizedKeysFile matches the file name you are using

    grep -i authorizedkeysfile /etc/ssh/sshd_config

    Are you able to authenticate using the SSH Key outside of Safeguard?

  • 0 over 3 years ago in reply to Tawfiq.Ahmad

    Thank you Ahmad for you precious help,

    I've check all your prerequisite above :

    + The home Directory /home/account1 is set to 700 (for Account1.Account1), the /home/account1/.ssh is set to 700 (for Account1.Account1), the /home/account1/.ssh/authorized_keys file is set to 600 (for Account1.Account1)

    + in the /etc/ssh/sshd_config : AuthorizedKeysFile .ssh/authorized_keys (match my user file name), PubKeyAuthentication yes, ChallengeResponseAuthentication yes

    +in the sudoers file the permission are as follow :

    sfg-svc  ALL=(root) NOPASSWD: /bin/chmod, /bin/chown, /bin/cp, /bin/egrep, /bin/grep, /bin/mv, /bin/rm, /usr/bin/passwd, /usr/bin/tee, /usr/bin/test, /usr/bin/touch, /usr/bin/sudo, /bin/cat, /bin/mkdir, /sbin/sshd

    I'm able through safeguard console to : install ssh key, Change ssh key successfully but no Check ssh key as i get these error again :

    "SSH Server on asset Oracle Linux is configured to run the authorized key command none as account 0"

    this is why i've tried to do change the authorizedkeycommand in the sshd_config file but have no idea what is the correct input.

    N.B : the authorizedkeyscommand and authorizedkeycommanduser are commented in the config File

    Thank you.

  • 0 over 3 years ago in reply to hamza bennani

    Are you able to authenticate using the SSH Key outside of Safeguard?

    => yes i'm able to authenticate outside Safeguard using Putty Keygen tool, and also using the private key provided by safeguard.

  • 0 over 3 years ago in reply to hamza bennani

    If you are running the latest version of Safeguard and Desktop client but still see the issue then I would suggest to open a ticket to investigate this further via:

    support.oneidentity.com/create-service-request

    Thanks!

  • 0 over 3 years ago in reply to hamza bennani

    Hi Hamza,

    Please try to increase the connection timeout (double click on Asset  > Connection tab) from default of 20 seconds to something like 60 or more to see if any better results?

    Thanks!

  • 0 over 3 years ago in reply to $parentForumReply.Author.DisplayName

    Hi Hamza,

    Could you try to right click on Account1 > Account Security > Set SSH key > Click on Generate > Click Install > Click Verify?

    Then perform a Check SSH Key to see if that makes any difference?

    Thanks!