I'm trying to import a few RHEL9 servers into CCS (Control Compliance Suite) as a preparation for agent-less scanning, but the import is failing with:
SSH connection is closed by server due to protocol error:" 32 Too many authentication failures"
The import is using an SSH private-public key pair to log in to the servers. I used the same private key as CCS uses in a PuTTY session and log-in works this way. Please help troubleshoot why the login from CCS errors out.
Release : CCS Infra Release 12.6.1
CCS is using an older method for authentication that is no longer supported in Linux/RHEL 9/Ubuntu22 and newer OS's with newer OpenSSH versions when using RSA key type.
There are currently 4 workarounds that can be used until this is fixed in a future update.
First, install an agent on the RHEL 9 server(s).
Second, Use password-based authentication instead of certificate-based authentication.
Third, enable legacy policy on the RHEL 9 server(s) e.g.
As mentioned in the section "Remediation of most common issues missing algorithms and protocol support" on the page https://access.redhat.com/articles/3642912
There are some older handshake mechanisms, which are not available in DEFAULT policy. Certificate Authentication works with CCS after switching to LEGACY policy.
Switching to the LEGACY policy can be done by issuing following command from the root account
update-crypto-policies --set LEGACY
Fourth, generate the certificate using the ECDSA key type. e.g.
Create the keys using puttygen tool with one of the following key types.
If you are using puttygen version 0.74 and below for generating public and private keys, PPK file version 2 is getting used by default.
If you are using puttygen version 0.75 and above for generating the public and private keys, make sure that keys are generated with PPK file version 2 as this is the format which is supported in CCS currently. (In puttygen version 0.75 and later, they have upgraded the private key file format to PPK3). I have added the screenshot (see below) for the reference.
To support PPK file version 3 format, code change will be required. To unblock the customer, they can use PPK file version 2 format for generation of the ECDSA type keys.
Steps: