.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Problems with SFTP agent certificate exchange on Windows for RSA Security Analytics
Issue
When attempting to configure the SFTP Agent on a Windows Server to send logs to Security Analytics Log Collector for File Collection following the instructions in the Install and Update the SFTP Agent for RSA NetWitness Platform, errors similar to the example below is displayed.
Offered public key
Server refused our key
Server refused public key
No supported authentication methods left to try!
No supported authentications offered. Disconnecting
Server closed network connection
ssh_init: error during SSH connection setup
Server refused our key
Server refused public key
No supported authentication methods left to try!
No supported authentications offered. Disconnecting
Server closed network connection
ssh_init: error during SSH connection setup
Cause
As instructed in the Private Key Issues section in the SFTP Agent Installation Guide, part of the resolution may be regenerating a new key pair using the puttygen.exe application.Another reason may be that the sshd service on the appliance running the Log Collector service may be pointing to a different authorized_keys location.
The sshd service on the Log Collector running Security Analytics 10.4.0.2 may have its keys in the /upload/.ssh/authorized_keys directory.
Updating the Event Source SSH Key via Security Analytics UI at version 10.4.0.2 adds the public key to the /home/upload/.ssh/authorized_keys directory.
Workaround
To resolve the issue, perform one of the workarounds below.Workaround #1
Copy the new keys that were added via the Security Analytics UI to the appropriate directory on the Log Collector appliance and set the permissions.
cp /home/upload/.ssh/authorized_keys /upload/.ssh/authorized_keys
chown sftp /upload/.ssh/authorized_keys
chmod 600 /upload/.ssh/authorized_keys
NOTE: This can be done automatically by running the /etc/netwitness/ng/logcollector/lctwin script on the Log Collector appliance.
chown sftp /upload/.ssh/authorized_keys
chmod 600 /upload/.ssh/authorized_keys
Workaround #2
- Edit the /etc/ssh/ssh_config file on the Log Collector appliance so that it includes the lines below.
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile2 /upload/.ssh/authorized_keys - Restart the sshd service to reflect the changes.
service sshd restart
Resolution
Product Details
RSA Product Set: RSA NetWitness Platform; Security AnalyticsRSA Product/Service Type: Security Analytics SFTP Agent, Log Collector, Core Appliance, Log Hybrid, All-in-One, Security Analytics UI
Platform: SFTP Agent running on Windows, Log Collector running on CentOS 7 Linux
Summary
sasftpagent for RSA NetWitness SSH configuration and possible permissions are denied.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue