14 Replies Latest reply on Nov 14, 2019 3:17 AM by Hitesh Jha

    Linux Troubleshooting

    Hitesh Jha
      Share This:

      Hello Team,

       

      when I tried to scanned rhel based servers getting an error as below.

      when I checked from the server end everything looks fine.

      But when I access the target endpoint via our discovery source getting the same error as highlighted in session logs i.e. no hostkey alg

      [tideway@EDPVSLADMA01 ~]$ ssh discover@ediqvlilxw01

      no hostkey alg

       

      Please comment!!!

        • 1. Re: Linux Troubleshooting
          Swapnil Lagad

          Hello Hitesh,

           

          Kindly check for the hostkey of the user in the server to establish connectivity, otherwise recreate the RSA and DSA keys again and delete previous keys.

          • 2. Re: Linux Troubleshooting
            Hitesh Jha

            Hello Swapnil,

            Thanks for the response.

            I have verified the ssh key of the discover account on the target as below.

            what's next?

            • 3. Re: Linux Troubleshooting
              Swapnil Lagad

              Hello Hitesh,

               

              use this commands,

               

              cd /home/discover

              chmod 700 .ssh

              chmod 644 /home/discover/.ssh/authorized_key

              • 4. Re: Linux Troubleshooting
                Hitesh Jha

                Hello Swapnil,

                 

                As guided I did the same as below and rescanned the target endpoint but still No access.

                [discover@ediqvlilxw01 ~]$ ls -al

                total 164

                drwx------   3 discover addm    103 May  8  2018 .

                drwxr-xr-x. 15 root     root   4096 Dec 14  2017 ..

                -rw-------   1 discover addm 147041 Nov  4 08:25 .bash_history

                -rw-r--r--   1 discover addm     18 Aug  3  2017 .bash_logout

                -rw-r--r--   1 discover addm    193 Aug  3  2017 .bash_profile

                -rw-r--r--   1 discover addm    231 Aug  3  2017 .bashrc

                -rw-r--r--   1 discover addm    172 Feb 10  2017 .kshrc

                drwx------   2 discover addm     28 Mar 22  2018 .ssh

                [discover@ediqvlilxw01 ~]$ chmod 644 /home/discover/.ssh/authorized_keys

                [discover@ediqvlilxw01 ~]$ cd /home/discover/.ssh/

                [discover@ediqvlilxw01 .ssh]$ ls -al

                total 4

                drwx------ 2 discover addm  28 Mar 22  2018 .

                drwx------ 3 discover addm 103 May  8  2018 ..

                -rw-r--r-- 1 discover addm 417 Nov  1  2017 authorized_keys

                • 5. Re: Linux Troubleshooting
                  Andrew Waters

                  This is complaining about not having a key for the host identity.

                   

                  If you look in /etc/ssh there should be some host keys, e.g. (depending upon configuration) ssh_host_ecdsa_key. This is what the sshd daemon uses to uniquely identify the host. What is in that directory and what HostKey entries appear in sshd_config in the same directory.

                  1 of 1 people found this helpful
                  • 6. Re: Linux Troubleshooting
                    Hitesh Jha

                    [root@ediqvlilxw01 ssh]# ls -al

                    total 644

                    drwxr-xr-x.   2 root root       4096 Sep  9 01:10 .

                    drwxr-xr-x. 101 root root       8192 Nov  4 20:07 ..

                    -rw-------    1 root root       4815 Feb 25  2019 bkp.sshd_config.2019-05-30

                    -rw-r--r--    1 root root     581843 Jun 26 10:01 moduli

                    -rw-r--r--    1 root root       2276 Jun 26 10:01 ssh_config

                    -rw-------    1 root root       4824 May 30 07:30 sshd_config

                    -rw-------    1 root root       4798 Feb 25  2019 sshd_config_bkp_discover

                    -rw-------.   1 root root       3907 Sep 13  2017 sshd_config.rpmnew

                    -rw-r-----.   1 root ssh_keys    227 Oct 31  2017 ssh_host_ecdsa_key

                    -rw-r--r--.   1 root root        162 Oct 31  2017 ssh_host_ecdsa_key.pub

                    -rw-r-----.   1 root ssh_keys    387 Oct 31  2017 ssh_host_ed25519_key

                    -rw-r--r--.   1 root root         82 Oct 31  2017 ssh_host_ed25519_key.pub

                    -rw-r-----.   1 root ssh_keys   1679 Oct 31  2017 ssh_host_rsa_key

                    -rw-r--r--.   1 root root        382 Oct 31  2017 ssh_host_rsa_key.pub

                    [root@ediqvlilxw01 ssh]# cat ssh_host_ecdsa_key

                    -----BEGIN EC PRIVATE KEY-----

                    MHcC########################################################3Mqdu0ogHE/4/44/dLj97xa

                    LwDs4Jfcf1f1dksRs25xdUMCBEjeBb2zqg==

                    -----END EC PRIVATE KEY-----

                    [root@ediqvlilxw01 ssh]# cat sshd_config

                    #       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

                     

                     

                    # This is the sshd server system-wide configuration file.  See

                    # sshd_config(5) for more information.

                     

                     

                    # This sshd was compiled with PATH=/usr/local/bin:/usr/bin

                     

                     

                    # The strategy used for options in the default sshd_config shipped with

                    # OpenSSH is to specify options with their default value where

                    # possible, but leave them commented.  Uncommented options override the

                    # default value.

                     

                     

                    # If you want to change the port on a SELinux system, you have to tell

                    # SELinux about this change.

                    # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

                    #

                    #Port 22

                    #AddressFamily any

                    #ListenAddress 0.0.0.0

                    #ListenAddress ::

                     

                     

                    # The default requires explicit activation of protocol 1

                    Protocol 2

                     

                     

                    # HostKey for protocol version 1

                    #HostKey /etc/ssh/ssh_host_key

                    # HostKeys for protocol version 2

                    #HostKey /etc/ssh/ssh_host_rsa_key

                    #HostKey /etc/ssh/ssh_host_dsa_key

                    HostKey /etc/ssh/ssh_host_ecdsa_key

                    HostKey /etc/ssh/ssh_host_ed25519_key

                     

                     

                    # Lifetime and size of ephemeral version 1 server key

                    #KeyRegenerationInterval 1h

                    #ServerKeyBits 1024

                     

                     

                    # Ciphers and keying

                    #RekeyLimit default none

                     

                     

                    # Logging

                    # obsoletes QuietMode and FascistLogging

                    #SyslogFacility AUTH

                    SyslogFacility AUTHPRIV

                    LogLevel INFO

                     

                     

                    # Authentication:

                     

                     

                    #LoginGraceTime 2m

                    LoginGraceTime 60

                    PermitRootLogin yes

                    #StrictModes yes

                    MaxAuthTries 4

                    #MaxSessions 10

                     

                     

                    #RSAAuthentication yes

                    #PubkeyAuthentication yes

                     

                     

                    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

                    # but this is overridden so installations will only check .ssh/authorized_keys

                    AuthorizedKeysFile      .ssh/authorized_keys

                     

                     

                    #AuthorizedPrincipalsFile none

                     

                     

                    #AuthorizedKeysCommand none

                    #AuthorizedKeysCommandUser nobody

                     

                     

                    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

                    #RhostsRSAAuthentication no

                    # similar for protocol version 2

                    HostbasedAuthentication no

                    # Change to yes if you don't trust ~/.ssh/known_hosts for

                    # RhostsRSAAuthentication and HostbasedAuthentication

                    #IgnoreUserKnownHosts no

                    # Don't read the user's ~/.rhosts and ~/.shosts files

                    IgnoreRhosts yes

                     

                     

                    # To disable tunneled clear text passwords, change to no here!

                    #PasswordAuthentication yes

                    PermitEmptyPasswords no

                    PasswordAuthentication yes

                     

                     

                    # Change to no to disable s/key passwords

                    #ChallengeResponseAuthentication yes

                    ChallengeResponseAuthentication no

                     

                     

                    # Kerberos options

                    #KerberosAuthentication no

                    #KerberosOrLocalPasswd yes

                    #KerberosTicketCleanup yes

                    #KerberosGetAFSToken no

                    #KerberosUseKuserok yes

                     

                     

                    # GSSAPI options

                    GSSAPIAuthentication yes

                    GSSAPICleanupCredentials no

                    #GSSAPIStrictAcceptorCheck yes

                    #GSSAPIKeyExchange no

                    #GSSAPIEnablek5users no

                     

                     

                    # Set this to 'yes' to enable PAM authentication, account processing,

                    # and session processing. If this is enabled, PAM authentication will

                    # be allowed through the ChallengeResponseAuthentication and

                    # PasswordAuthentication.  Depending on your PAM configuration,

                    # PAM authentication via ChallengeResponseAuthentication may bypass

                    # the setting of "PermitRootLogin without-password".

                    # If you just want the PAM account and session checks to run without

                    # PAM authentication, then enable this but set PasswordAuthentication

                    # and ChallengeResponseAuthentication to 'no'.

                    # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several

                    # problems.

                    UsePAM yes

                     

                     

                    #AllowAgentForwarding yes

                    #AllowTcpForwarding yes

                    #GatewayPorts no

                    #X11Forwarding yes

                    X11Forwarding no

                    #X11DisplayOffset 10

                    #X11UseLocalhost yes

                    #PermitTTY yes

                    #PrintMotd yes

                    #PrintLastLog yes

                    #TCPKeepAlive yes

                    #UseLogin no

                    UsePrivilegeSeparation sandbox          # Default for new installations.

                    PermitUserEnvironment no

                    #Compression delayed

                    #ClientAliveInterval 0

                    #ClientAliveCountMax 3

                    ClientAliveCountMax 0

                    #ShowPatchLevel no

                    #UseDNS yes

                    #PidFile /var/run/sshd.pid

                    #MaxStartups 10:30:100

                    #PermitTunnel no

                    #ChrootDirectory none

                    #VersionAddendum none

                     

                     

                    # no default banner path

                    #Banner none

                     

                     

                    # Accept locale-related environment variables

                    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

                    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

                    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

                    AcceptEnv XMODIFIERS

                     

                     

                    # override default of no subsystems

                    Subsystem       sftp    /usr/libexec/openssh/sftp-server

                     

                     

                    # Example of overriding settings on a per-user basis

                    #Match User anoncvs

                    #       X11Forwarding no

                    #       AllowTcpForwarding no

                    #       PermitTTY no

                    #       ForceCommand cvs server

                    ClientAliveInterval 300

                     

                     

                    Banner /etc/issue.net

                     

                     

                    # CIS Additions

                    #Ciphers aes256-ctr,aes192-ctr,aes128-ctr

                    #MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

                     

                     

                    AllowUsers segadmin scommon scompriv scommant secscan root discover sysassur

                    AllowGroups

                    DenyUsers

                    DenyGroups

                     

                     

                    AllowUsers capamrw capamro

                    AllowGroups addm sysassur

                    [root@ediqvlilxw01 ssh]#

                    • 7. Re: Linux Troubleshooting
                      Swapnil Lagad

                      Hello Hitesh,

                       

                       

                      Share output of the command-

                       

                      ssh -v user@server   -from source

                      • 8. Re: Linux Troubleshooting
                        Hitesh Jha

                        Hello Swapnil,

                         

                        Please refer the o/p as below.

                        [tideway@EDPVSLADMA01 ~]$ ssh -v discover@ediqvlilxw01

                        OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

                        debug1: Reading configuration data /etc/ssh/ssh_config

                        debug1: Applying options for *

                        debug1: Connecting to ediqvlilxw01 [10.22.3.39] port 22.

                        debug1: Connection established.

                        debug1: identity file /usr/tideway/.ssh/identity type -1

                        debug1: identity file /usr/tideway/.ssh/identity-cert type -1

                        debug1: identity file /usr/tideway/.ssh/id_rsa type -1

                        debug1: identity file /usr/tideway/.ssh/id_rsa-cert type -1

                        debug1: identity file /usr/tideway/.ssh/id_dsa type -1

                        debug1: identity file /usr/tideway/.ssh/id_dsa-cert type -1

                        debug1: identity file /usr/tideway/.ssh/id_ecdsa type -1

                        debug1: identity file /usr/tideway/.ssh/id_ecdsa-cert type -1

                        debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

                        debug1: match: OpenSSH_7.4 pat OpenSSH*

                        debug1: Enabling compatibility mode for protocol 2.0

                        debug1: Local version string SSH-2.0-OpenSSH_5.3

                        debug1: SSH2_MSG_KEXINIT sent

                        debug1: SSH2_MSG_KEXINIT received

                        debug1: kex: server->client aes128-ctr hmac-sha1 none

                        debug1: kex: client->server aes128-ctr hmac-sha1 none

                        no hostkey alg

                        • 9. Re: Linux Troubleshooting
                          Swapnil Lagad


                          Hello Hitesh,


                          Create new rsa and dsa key by using commands:

                           

                          ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
                          ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

                           

                           

                           

                          Then keep permissions of files-

                           

                          chmod 600 /etc/ssh/ssh_host_*
                          chmod 644 /etc/ssh/ssh_host_*.pub

                           

                           


                          Then restart the service :

                           

                          service sshd restart

                          • 10. Re: Linux Troubleshooting
                            Andrew Waters

                            Given the version you are obviously not using 11.3 CentOS 7.

                             

                            Your problem is that you have no overlap on HostKeyAlogirhtms.

                             

                            By default RHEL6 and CentOS 6 do not allow the ecdsa or ed25519 algorithms (RHEL6 does not support ed25519) . Either you need to

                             

                            * Allow the machine your discovering to use an algorithm that is understood, e.g. remove the # from one of the HostKey ssh_host_rsa_key or ssh_host_das_key lines in /etc/ssh/sshd_config and and then restart sshd with systemctl restart sshd, or

                             

                            * Update ssh_config on the appliance so it will accept ecdsa, e.g. adding

                            HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss

                            /etc/ssh/ssh_config. (Red Hat docs)

                             

                            * Updating to 11.3 using CentOS 7.

                            1 of 1 people found this helpful
                            • 11. Re: Linux Troubleshooting
                              Hitesh Jha

                              Andrew,

                              I have changed ssh_key config file as below.

                              Do we need to restart the sshd service also?

                              • 12. Re: Linux Troubleshooting
                                Andrew Waters

                                No. The next time ssh is run by Discovery it will pick up the configuration.

                                • 13. Re: Linux Troubleshooting
                                  Lisa Keeler

                                  I was going to write a KA for this problem, but there is no case to attach the KA to.  So, I want to clarify here what the problem/solution is.

                                   

                                  For the benefit of people searching the community for this problem, here is a recap if I understand correctly.  Please correct anything I got wrong.

                                   

                                  PROBLEM DESCRIPTION:

                                   

                                  Customer is using 11.3 CentOS 6.

                                   

                                  These 2 errors  Connection closed unexpectedly and no hostkey alg were seen during a Credential Test (from the UI) for an SSH credential.

                                   

                                  And, when trying to ssh to the remote host from the Discovery appliance, we get "no hostkey alg"

                                  [tideway@EDPVSLADMA01 ~]$ ssh discover@ediqvlilxw01

                                  no hostkey alg

                                   

                                  I assume that the SSH credential uses an ssh Key   (i.e. ssh Authentication = Key)

                                   

                                   

                                  The target only host allows these HostKey values:

                                  $ grep HostKey /etc/ssh/sshd_config

                                  # HostKey for protocol version 1

                                  #HostKey /etc/ssh/ssh_host_key

                                  # HostKeys for protocol version 2

                                  #HostKey /etc/ssh/ssh_host_rsa_key

                                  #HostKey /etc/ssh/ssh_host_dsa_key

                                  HostKey /etc/ssh/ssh_host_ecdsa_key

                                  HostKey /etc/ssh/ssh_host_ed25519_key

                                   

                                   

                                  ROOT CAUSE:

                                  Andrew> This is complaining about not having a key for the host identity.

                                  Andrew> By default RHEL6 and CentOS 6 do not allow the ecdsa or ed25519 algorithms (RHEL6 does not support ed25519) .

                                   

                                  The target host only allows ecdsa and ed25519 HostKey algorithms, as seen from the grep output.

                                  But, CentOS 6 by default does not allow those 2 algorithms.

                                   

                                  SOLUTION:

                                   

                                  Either you need to:

                                   

                                  * Allow the target machine your discovering to use an algorithm that is understood, e.g. remove the # from one of the HostKey ssh_host_rsa_key or ssh_host_das_key lines in /etc/ssh/sshd_config and and then restart sshd with systemctl restart sshd, or

                                   

                                  * Update /etc/ssh/ssh_config on the appliance so it will accept ecdsa, e.g. adding

                                  HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss

                                  /etc/ssh/ssh_config. (Red Hat docs)

                                   

                                  * Updating to 11.3 using CentOS 7.

                                  ====================================

                                   

                                  Customer chose the 2nd option: 

                                  Update /etc/ssh/ssh_config on the appliance so it will accept ecdsa, e.g. adding

                                  HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss

                                   

                                  Now, discovery of the remote host should work OK.

                                  1 of 1 people found this helpful
                                  • 14. Re: Linux Troubleshooting
                                    Hitesh Jha

                                    Hey Lisa,

                                    just to add here affected server scanned successfully.