If you cannot SSH from the Console, it might be the result that SSH keys are corrupted or have permission issues. This article talks about how to diagnose and resolve these types of issues.
Resolving The Problem
Managed Tunnel Key directory (Console only)
[root@Console-1 ~]# ls -al /store/configservices/staging/globalconfig/ssh_public_keys/ drwxr-xr-x 2 nobody nobody 62 May 2 20:19 . rwxrwxr-x 9 nobody nobody 24576 May 3 10:10 .. -rw-r--r-- 1 nobody nobody 406 May 2 18:25 Console_key -rw-r--r-- 1 nobody nobody 409 May 2 18:27 host_103_key rw-r--r-- 1 nobody nobody 409 May 2 20:19 host_104_key
Review the permissions within the /root/.ssh directory (Console & managed hosts)
[root@Console-1 .ssh]# ls -la .ssh/ total 24 drwx------ 2 root root 4096 May 2 18:35 . dr-xr-x---. 4 root root 4096 May 2 18:38 .. -rw------- 1 root nobody 426 May 2 18:35 authorized_keys -rw------- 1 root nobody 1675 May 2 18:25 id_rsa -rw------- 1 root nobody 406 May 2 18:25 id_rsa.pub -rw------- 1 root root 788 May 2 18:25 known_hosts
If permissions are incorrect, then Administrators should update permissions as instructed below:
[root@Console-1~]# chmod 700 /root/.ssh [root@Console-1~]# chmod 600 /root/.ssh/*
Review the Console's public key file is present on the managed host
[root@Console-1 ~]# ssh 192.0.2.11 - SSH public key login from managed hosts to the Console is no longer automatic. - SSH public key login from a QFlow to a Flow Processor is still automatic.
- Log in to the Console using an SSH session as root user.
- Copy the keys using the command: ssh-copy-id user@host
Example of command and output
#ssh-copy-id email@example.com /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new key firstname.lastname@example.org's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
Remote hosts SSH public key is wrong in local hosts /root/.ssh/known_hosts.
In the example below, attempting to open a standard SSH session from the Console to a managed host cannot complete due to key not being found in the known_hosts list.
[root@QRadar-3100 .ssh]# ssh 192.168.0.77
The error message 'Offending key in /root/.ssh/known_hosts: 2' indicates to the Administrator that line #2 in the known_hosts file is incorrect. Administrators can either compare the fingerprint.
The error message looks similar to:
Last login: Tue May 3 16:32:30 2016 from 192.168.0.75 This server was upgraded to QRadar 22.214.171.12451107134559 on Thu Apr 7 16:05:15 EDT 2016 with patch 126.96.36.19960405164932 applied on Mon Apr 11 14:00:17 EDT 2016 [root@Qradar726-1201 ~]# ssh 192.168.0.76 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@ >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is bd:36:16:a8:00:2a:c9:56:6d:e2:26:eb:8d:66:3f:d5. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:2 RSA host key for 192.168.0.76 has changed and you have requested strict checking. Host key verification failed.
Administrators can use the command below to correct or remove line #2. After line #2 is removed or corrected, Administrators can attempt to connect by using SSH to get a prompt to update the known_hosts list or if the key was corrected, then the SSH session would be established without any prompts to the user.
- Log into the QRadar Console using an SSH session.
- If the error message is not originating on the console SSH to the offending managed host.
- At the prompt type:
ssh-keygen -R <IP of host> 192.168.0.76 ssh-keygen -R 192.168.0.76Example where line 2 responds to 192.168.0.76
ssh-keygen -R 192.168.0.76
08 January 2021