Access Denied Message after Using SSH to connect to the Server through Safeguard

Hi Professionals...

I have a strange problem when our users try to connect to some servers through Safeguard.

users can not access to some servers via SSH Connection. They can enter username and password but can not login due to Access denied message.

We thought that the problem was related to entering wrong username or password. But after bypassing Safeguard our users could connect to their servers without any headache..!!!!

Also, some servers have this problem, not all of them. 

no remote group or gateway group has specified on channel policy.

Authentication policies is in base form (choosing Relayed authentication methods:  password and Keyboard-interactive).

No server host key configuration.

Section ' setting' under SSH Control uses its default configuration.

No problem for telnet connection.( Users can use telnet to connect to those servers that have problem with SSH )

Any idea please?!

  

  • Hi,

    - What is the version of SPS?

    - Can you try the following:
    1. Reproduce the issue with an impacted user.
    2. Go to Basic Settings > Troubleshooting > Under View log files select the Logtype as SSH and click View to see what logs are showing

  • Hi Dear Ahmad....

    Safeguard 6.5.0

    I have found these lines in log file:

    2020-12-16T08:36:07 safegaurd.xx.local zorp/scb_ssh[30697]: core.error(4): (svc/foL55BXYV3aJ3AMpwJLoqw/TESTSSHServer:43/ssh): OpenSSL error; error='1010F08A:elliptic curve routines:lib(16):pkey_ecd_ctrl:func(271):invalid digest type:reason(138)'

    2020-12-16T08:38:06 safegaurd.xx.local zorp/scb_ssh[30697]: ssh.auth(3): (svc/foL55BXYV3aJ3AMpwJLoqw/ESTSSHServer:43/ssh): User authentication failure on server; username='a.xxxxx', gateway_user=''

    Look at the end of first line: invalid digest type:reason(138)'    <--------- What does it means?!

    Also, remember that the username and password are correct.

     

  • This issue is fixed in next release of SPS v6.6 or higher. Next step is to upgrade the SPS firmware.

  • Hi Dear Tawfiq.

    The problem has been solved by using Authentication policy and LDAP server setting to direct authentication process toward our ldap server (MS Active Directory).

    We didn't upgrade our SPS.

    Thank you.