Safeguard SPP : Fail To check SSH Key.

Dears,

Could you help me please understand what happen when i try to check SSH key in Safeguard SPP as i always get an error message saying this :

"SSH Server on asset Oracle Linux is configured to run the authorized key command none as account 0

Unable to check SSH Key for account "Account1" on asset Oracle due to an error."

I think maybe safeguard service account is unable to use or run the authorizedkeycommand found in the /etc/ssh/sshd_config file :

#AuthorizedKeysCommand none  (i actually don't know what should be placed here in order for safeguard service account to check SSH Key) ??

#AuthorizedKeysCommandUser none (i presume that i need to put the Safeguard Service Account Name here) ??

What should be set in the /etc/ssh/sshd_config in order for Safeguard to check SSH Keys and specially in the AuthorizedKeyCommand fields.

Please note athat i'm able to Set and Change SSH Keys and Passwords Successfully through the same Safeguard Service Account.

I'm working on a Linux asset : Oracle Linux (OL7) Distribution.

Thank you for your help.

Parents
  • Hi Hamza,

    Safeguard does not require AuthorizedKeysCommand (if you do not use it) to be enabled for the check SSH Key task to work.

    When performing Check SSH Key > Click on the eye icon > click Show More > please check the Operations and\or sshCommunication tabs for more detailed logs. 

    Thanks!

  • Thank you Ahmad for your reply,

    Here's the sshCommunication Logs, please note that i'm using an account service named : sfg-svc :

    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:17 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:17 AM Debug Send : sudo test -f '/etc/ssh/sshd_config'; echo "SshdConfigPath=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("SshdConfigPath=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo test -r '/etc/ssh/sshd_config'; echo "IsPathReadable=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("IsPathReadable=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo sshd -T | grep -o -i "^UseDNS.*" >/dev/null 2>&1; echo "DnsUsageConfigured=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("DnsUsageConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : res=`sudo sshd -T | grep -o -i "^UseDNS.*" 2>/dev/null | awk '{print $2}'`; echo UseDns=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("UseDns=no
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" >/dev/null 2>&1; echo "PubKeyAuthConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubKeyAuthConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" 2>/dev/null | awk '{print $2}'`; echo PubkeyAuth=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubkeyAuth=yes
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80  | grep -o -i "^AuthorizedKeysFile.*" >/dev/null 2>&1; echo "KeystoreTemplateConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("KeystoreTemplateConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^AuthorizedKeysFile.*" 2>/dev/null | awk '{$1=""; print $0}'`; echo KeystoreTemplate=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("KeystoreTemplate= .ssh/authorized_keys
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandConfigured=$?"
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommandConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" 2>/dev/null | awk '{print $2}'`; echo AuthorizedKeysCommand=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommand=none none
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUserConfigured=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUserConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUser=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUser=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo none
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("**secret**"))
    Friday, October 23, 2020 10:11:21 AM Debug Send : res=`sudo grep -o -i "^Match Host.*" '/etc/ssh/sshd_config' >/dev/null 2>&1`; echo "matchHostConfigured=$?"
    Friday, October 23, 2020 10:11:22 AM Debug RECV buf(("
    "))
    Friday, October 23, 2020 10:11:23 AM Debug RECV buf(("Sorry, try again.
    SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:23 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:24 AM Debug RECV buf(("
    sudo: none: command not found
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -r '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : res=`sudo cat /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null`; echo "Keys=${res}"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("Keys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIj6kOLXbCUAbw0tbx7IX7VYl2BwRcMSkFKYnk4wBldm/iNHXkVOjIUpE6mmzBKtBdPADfbt3gSeqe9tJW2rnw1BymzsRbPej8FpCXsKbqL382YWdd5i9yb1khgK5Wt/gBY0guvHy+Cz4pkXNEYhx+fkDWLlx1um2CyZt71vPJXRM9XnsL5Hx7qVfHWxqcdroWJ2Dz8DuBm3IRSeDoTACbaFf/1BvPdXp27ckPGN8JId8Exu7GgAoFXWN2tcIWqJXL14MEHRn+yeOBnC/pr8HuFVJHpPkA9AwtKtekqfNA3NSXKzfR7P+pUbyei3QzSCnCDofg8BApOFkjsTKuspsh Safeguard generated on 2020-10-14T11:32:59.5408072Z
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "KeystoreIsAFile=$?"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("KeystoreIsAFile=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : res=`sudo ls -l /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null | awk '{print $0}'`; echo KeystorePermissions=${res}
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:45 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:46 AM Debug RECV buf(("
    KeystorePermissions=
    [sfg-svc@oralnx ~]$ "))

Reply
  • Thank you Ahmad for your reply,

    Here's the sshCommunication Logs, please note that i'm using an account service named : sfg-svc :

    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:17 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:17 AM Debug Send : sudo test -f '/etc/ssh/sshd_config'; echo "SshdConfigPath=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("SshdConfigPath=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo test -r '/etc/ssh/sshd_config'; echo "IsPathReadable=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("IsPathReadable=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : sudo sshd -T | grep -o -i "^UseDNS.*" >/dev/null 2>&1; echo "DnsUsageConfigured=$?"
    Friday, October 23, 2020 10:11:18 AM Debug RECV buf(("DnsUsageConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:18 AM Debug Send : res=`sudo sshd -T | grep -o -i "^UseDNS.*" 2>/dev/null | awk '{print $2}'`; echo UseDns=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("UseDns=no
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" >/dev/null 2>&1; echo "PubKeyAuthConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubKeyAuthConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^PubkeyAuthentication.*" 2>/dev/null | awk '{print $2}'`; echo PubkeyAuth=${res}
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("PubkeyAuth=yes
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:19 AM Debug Send : sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80  | grep -o -i "^AuthorizedKeysFile.*" >/dev/null 2>&1; echo "KeystoreTemplateConfigured=$?"
    Friday, October 23, 2020 10:11:19 AM Debug RECV buf(("KeystoreTemplateConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T -C user=keygen-sfg,host=10.0.1.80,addr=10.0.1.80 | grep -o -i "^AuthorizedKeysFile.*" 2>/dev/null | awk '{$1=""; print $0}'`; echo KeystoreTemplate=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("KeystoreTemplate= .ssh/authorized_keys
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandConfigured=$?"
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommandConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : res=`sudo sshd -T | grep -o -i "^AuthorizedKeysCommand.*" 2>/dev/null | awk '{print $2}'`; echo AuthorizedKeysCommand=${res}
    Friday, October 23, 2020 10:11:20 AM Debug RECV buf(("AuthorizedKeysCommand=none none
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:20 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUserConfigured=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUserConfigured=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo sshd -T | grep -o -i "^AuthorizedKeysCommandUser.*" >/dev/null 2>&1; echo "AuthorizedKeysCommandUser=$?"
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("AuthorizedKeysCommandUser=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:21 AM Debug Send : sudo none
    Friday, October 23, 2020 10:11:21 AM Debug RECV buf(("**secret**"))
    Friday, October 23, 2020 10:11:21 AM Debug Send : res=`sudo grep -o -i "^Match Host.*" '/etc/ssh/sshd_config' >/dev/null 2>&1`; echo "matchHostConfigured=$?"
    Friday, October 23, 2020 10:11:22 AM Debug RECV buf(("
    "))
    Friday, October 23, 2020 10:11:23 AM Debug RECV buf(("Sorry, try again.
    SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:23 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:24 AM Debug RECV buf(("
    sudo: none: command not found
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf((""))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : sudo test -r '/home/keygen-sfg/.ssh/authorized_keys'; echo "AuthKeysFileExist=$?"
    Friday, October 23, 2020 10:11:44 AM Debug RECV buf(("AuthKeysFileExist=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:44 AM Debug Send : res=`sudo cat /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null`; echo "Keys=${res}"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("Keys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIj6kOLXbCUAbw0tbx7IX7VYl2BwRcMSkFKYnk4wBldm/iNHXkVOjIUpE6mmzBKtBdPADfbt3gSeqe9tJW2rnw1BymzsRbPej8FpCXsKbqL382YWdd5i9yb1khgK5Wt/gBY0guvHy+Cz4pkXNEYhx+fkDWLlx1um2CyZt71vPJXRM9XnsL5Hx7qVfHWxqcdroWJ2Dz8DuBm3IRSeDoTACbaFf/1BvPdXp27ckPGN8JId8Exu7GgAoFXWN2tcIWqJXL14MEHRn+yeOBnC/pr8HuFVJHpPkA9AwtKtekqfNA3NSXKzfR7P+pUbyei3QzSCnCDofg8BApOFkjsTKuspsh Safeguard generated on 2020-10-14T11:32:59.5408072Z
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : sudo test -f '/home/keygen-sfg/.ssh/authorized_keys'; echo "KeystoreIsAFile=$?"
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("KeystoreIsAFile=0
    [sfg-svc@oralnx ~]$ "))
    Friday, October 23, 2020 10:11:45 AM Debug Send : res=`sudo ls -l /home/keygen-sfg/.ssh/authorized_keys 2>/dev/null | awk '{print $0}'`; echo KeystorePermissions=${res}
    Friday, October 23, 2020 10:11:45 AM Debug RECV buf(("SUDO password for sfg-svc:"))
    Friday, October 23, 2020 10:11:45 AM Debug Send : **secret**
    Friday, October 23, 2020 10:11:46 AM Debug RECV buf(("
    KeystorePermissions=
    [sfg-svc@oralnx ~]$ "))

Children
  • Hi Hamza,

    Please try to increase the connection timeout (double click on Asset  > Connection tab) from default of 20 seconds to something like 60 or more to see if any better results?

    Thanks!

  • Hi Ahmed,

    I did as you suggested in your last recommandation :

    Generate and then Install SSH Key work perfectly but Verify don't as the same error came back :

    Queuing task.
    Starting task.
    Checking authorized key for account Account1 on asset Oracle Linux.
    Connecting with asset Oracle Linux (10.0.1.80).
    System login test.
    System login test.
    Checking SSH configuration from file: /etc/ssh/sshd_config.
    Checking configuration for SSH server: OpenSSH_7.4 from configuration file: /etc/ssh/sshd_config.
    Discovering authorized keystore template(s) .ssh/authorized_keys on asset Oracle Linux.
    Discovering authorized key file(s): /home/Account1/.ssh/authorized_keys.
    SSH Server on asset Oracle Linux is configured to run the authorized key command none as account none
    .

  • If you are running the latest version of Safeguard and Desktop client but still see the issue then I would suggest to open a ticket and provide a support bundle to investigate this further via:

    support.oneidentity.com/create-service-request