Troubleshooting
Problem
If you cannot SSH from the Console, it might be the result that SSH keys are corrupted or have permission issues. This article talks about how to diagnose and resolve these types of issues.
Resolving The Problem
Review the permissions within the SSH directory (Console & managed hosts)
- Use SSH to log in to the QRadar Console as the root user.
- Check the permissions of the /root/.ssh/ directory by using the ls command:
ls -lah /root/.ssh/
Output example:total 24 drwx------ 2 root root 4096 May 2 18:35 . dr-xr-x---. 4 root root 4096 May 2 18:38 .. -rw------- 1 root nobody 426 May 2 18:35 authorized_keys -rw------- 1 root nobody 1675 May 2 18:25 id_rsa -rw------- 1 root nobody 406 May 2 18:25 id_rsa.pub -rw------- 1 root root 788 May 2 18:25 known_hosts
Result
Administrator reviewed the permissions for the SSH directory and files. If the permissions are not correct, follow the steps in the Solution section.
If permissions are not correct, administrators need to assign the correct permissions by running the following steps:
- Use SSH to log in to the QRadar Console as the root user.
- Assign the correct permissions for the /root/.ssh/ directory:
chmod 700 /root/.ssh
- Assign the correct permissions for the files in the /root/.ssh/ directory:
chmod 600 /root/.ssh/*
Administrator assigned the correct permissions for the SSH files and directory.
Review the console's public key is present in the managed host
Run the following steps to determine whether the password is required:
- Use SSH to log in to the QRadar Console as the root user.
- Try to connect to a managed host by using SSH:
ssh <remote_host>
root@<remote_host>'s password:
Administrator confirmed that password is required to establish a connection with a managed host.
Solution
Validate if the remote host's public key exists in the console's known_hosts file
- Use SSH to log in to the QRadar Console as the root user.
- Try to connect to a managed host by using SSH:
ssh <remote_host>
ERROR: No ECDSA host key is known for <Remote Host IP> and you have requested strict checking. ERROR: Host key verification failed.
Administrator confirmed that the connection is not established because of the missing key.
Solution
Validate if the remote host's public key is different than the one existing in the console's known_hosts file
- Use SSH to log in to the QRadar Console as the root user.
- Try to connect to a managed host by using SSH:
ssh <remote_host>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:JwHDVTX+Sl0K3+WDY3rOm5E5ww/TIlQnz1v7r9EUC8w. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:X ECDSA host key for X.X.X.X has changed and you have requested strict checking. Host key verification failed.
Administrator confirmed that the connection is not established because of a public key mismatch.
Follow the steps on QRadar: SSH fails with error "Offending ECDSA key in /root/.ssh/known_hosts:".
Related Information
QRadar: Troubleshooting SSH connections and tunnels issues
QRadar: About Secure Shell (SSH)
QRadar: SSH connection to managed host prompts for password
QRadar: SSH to host fails with error "No ECDSA host key is known for <Remote Ho…
QRadar: SSH fails with error "Offending ECDSA key in /root/.ssh/known_hosts:"
QRadar: sshd service fails with the error "Permissions 0604 for '/etc/ssh/ssh_h…
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
25 October 2023
UID
ibm10960868