sftp broken after applying September 2018 9.x API Gateway Patch
Article ID: 116978
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
Unable to use sftp connections after applying CA_API_PlatformUpdate_64bit_v9.X-RHEL-2018-09-19.L7P for 9.x CA API Gateway hosts.
This includes standard sftp command line instructions and use of ftp clients like winScp and FileZilla.
This includes standard sftp command line instructions and use of ftp clients like winScp and FileZilla.
Environment
API Gateway 9.x
Cause
Updates in the September monthly have instituted security measures to stop the authenticated ssgconfig user from obtaining a shell into Gateway.
API Gateway Development is researching this issue as of the publish date of this kb and this kb should eventually be retired with a permanent fix.
API Gateway Development is researching this issue as of the publish date of this kb and this kb should eventually be retired with a permanent fix.
Resolution
Disable the /etc/ssh/ssh_force_command.sh entries from /etc/ssh/sshd_config file and restart the ssh daemon as below:
#Match user ssgconfig
# ForceCommand /etc/ssh/ssh_force_command.sh
Restart sshd daemon with:
# service sshd restart
The /etc/ssh/ssh_force_command.sh file is referencing to /opt/SecureSpan/Platform/bin/configuser_profile_menu.sh which is a ssgconfig wizard menu file. After disabling the /etc/ssh/ssh_force_command.sh entries from sshd_config file and restarting the ssh daemon, sftp connections work in 9.x Gateways.
#Match user ssgconfig
# ForceCommand /etc/ssh/ssh_force_command.sh
Restart sshd daemon with:
# service sshd restart
The /etc/ssh/ssh_force_command.sh file is referencing to /opt/SecureSpan/Platform/bin/configuser_profile_menu.sh which is a ssgconfig wizard menu file. After disabling the /etc/ssh/ssh_force_command.sh entries from sshd_config file and restarting the ssh daemon, sftp connections work in 9.x Gateways.
Feedback
Yes
No
Powered by
