agent-less import of Linux/RHEL9/Ubuntu22 is failing with authentication
search cancel

agent-less import of Linux/RHEL9/Ubuntu22 is failing with authentication

book

Article ID: 265615

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server Control Compliance Suite Control Compliance Suite Standards Module

Issue/Introduction

I'm trying to import a few RHEL9 servers into CCS  (Control Compliance Suite) as a preparation for agent-less scanning, but the import is failing with:

SSH connection is closed by server due to protocol error:" 32 Too many authentication failures"

The import is using an SSH private-public key pair to log in to the servers. I used the same private key as CCS uses in a PuTTY session and log-in works this way. Please help troubleshoot why the login from CCS errors out.

Environment

Release : CCS Infra Release 12.6.1

Cause

CCS is using an older method for authentication that is no longer supported in Linux/RHEL 9/Ubuntu22 and newer OS's with newer OpenSSH versions when using RSA key type.

Resolution

There are currently 4 workarounds that can be used until this is fixed in a future update.

First, install an agent on the RHEL 9 server(s).

Second, Use password-based authentication instead of certificate-based authentication.

Third, enable legacy policy  on the RHEL 9  server(s) e.g.

As mentioned in the section "Remediation of most common issues missing algorithms and protocol support" on the page https://access.redhat.com/articles/3642912

There are some older handshake mechanisms, which are not available in DEFAULT policy.  Certificate Authentication works with CCS after switching to LEGACY policy.

Switching to the LEGACY policy can be done by issuing following command from the root account

update-crypto-policies --set LEGACY 

 

Fourth, generate the certificate using the ECDSA  key type. e.g.

Create the keys using puttygen tool with one of the following key types.

  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521

If you are using puttygen version 0.74 and below for generating public and private keys, PPK file version 2 is getting used by default.

If you are using puttygen version 0.75 and above for generating the public and private keys, make sure that keys are generated with PPK file version 2 as this is the format which is supported in CCS currently. (In puttygen version 0.75 and later, they have upgraded the private key file format to PPK3). I have added the screenshot (see below) for the reference.

To support PPK file version 3 format, code change will be required. To unblock the customer, they can use PPK file version 2 format for generation of the ECDSA type keys.

Steps:

  1. Create the public and private keys using puttygen tool with ECDSA key type with PPK file version 2.
  2. Copy the public key on RHEL 9 target in authorized_keys file
  3. Add private key file in CCS credential workspace for RHEL 9 assets.
  4. Run Asset import on RHEL 9 assets. It will successfully import the assets.
  5. Run the data collection against RHEL 9 assets. Data collection will be successful.