[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Re: SSH authorized_keys: Permission denied
From: Satya Vegulla <satyavegulla9 () gmail ! com>
Date: 2017-08-31 10:15:43
Message-ID: 1e1887a5-6626-4061-b14d-91fbd3b90dda () googlegroups ! com
[Download RAW message or body]
On Wednesday, August 30, 2017 at 6:28:19 AM UTC+5:30, Wes wrote:
> On Tuesday, August 29, 2017 at 10:14:36 AM UTC-4, Satya Vegulla wrote:
> > On Monday, August 28, 2017 at 10:34:44 PM UTC+5:30, Wes wrote:
> > > On Monday, August 28, 2017 at 10:04:07 AM UTC-4, Satya Vegulla wrote:
> > > > On Saturday, August 26, 2017 at 12:29:47 AM UTC+5:30, Wes wrote:
> > > > > On Friday, August 25, 2017 at 3:35:06 AM UTC-4, Satya Vegulla wrote:
> > > > > > On Thursday, August 24, 2017 at 5:58:48 PM UTC+5:30, Wes wrote:
> > > > > > > On Wednesday, August 23, 2017 at 8:55:51 AM UTC-4, Satya Vegulla wrote:
> > > > > > > > On Wednesday, August 23, 2017 at 4:30:29 PM UTC+5:30, Wes wrote:
> > > > > > > > > Satya,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "If you've enabled salt on all machines in your deployment,
> > > > > > > > > then salt should have disabled the rule-update cron job in favor of \
> > > > > > > > > its own method of distributing rules to the sensors. However, if \
> > > > > > > > > you manually run rule-update and get prompted for the password \
> > > > > > > > > then that may be indicative of other problems...
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > rule-update uses scp to copy files from the master to the sensor. \
> > > > > > > > > To do that, it authenticates using the username and ssh key \
> > > > > > > > > stored in
> > > > > > > > > /root/.ssh/ on the sensor. This would be the username that you
> > > > > > > > > entered during Setup on the sensor that it used to connect to the
> > > > > > > > > server.
> > > > > > > > >
> > > > > > > > > Are you able to manually ssh from the sensor to the server using \
> > > > > > > > > that username and its password?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Are you able to ssh using that username and the ssh key in \
> > > > > > > > > /root/.ssh/?"
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > https://groups.google.com/d/msg/security-onion/DhJ6dlh0avg/_cGOo9Mg224J
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Wes
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 23, 2017 at 5:37 AM, Satya Vegulla \
> > > > > > > > > <satyav...@gmail.com> wrote: On Monday, July 10, 2017 at 5:24:58 PM \
> > > > > > > > > UTC+5:30, Wes wrote:
> > > > > > > > > > On Monday, July 10, 2017 at 1:26:44 AM UTC-4, Satya Vegulla \
> > > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > > On Wednesday, July 5, 2017 at 8:09:40 PM UTC+5:30, Satya \
> > > > > > > > > > > Vegulla wrote:
> > > > > > > > >
> > > > > > > > > > > > Hi Team,
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > with reference to this post
> > > > > > > > >
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > > > > > \
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > When I am trying to make that automatic using key \
> > > > > > > > > > > > authentication. (rule update)
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > Getting the below issue as permission denied.
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > Tried putting the ssh username and server name manually as \
> > > > > > > > > > > > well.
> > > > > > > > >
> > > > > > > > > > > > Even ensured SSH Username is part of Sudo group.
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > xxxx@xxxxx:/# ssh-copy-id -i "$KEY".pub \
> > > > > > > > > > > > $SSH_USERNAME@$SERVERNAME
> > > > > > > > >
> > > > > > > > > > > > $SSH_USERNAME@$SERVERNAME's password:
> > > > > > > > >
> > > > > > > > > > > > bash: /home/xxxxxxxxx/.ssh/authorized_keys: Permission denied
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > > > > Satya.
> > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > HI Wes,
> > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > Yes, I am running with root.
> > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > > > Satya.
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Please post the exact steps you took to arrive at this error.
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > > Wes
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hi Wes,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Apologies for delaying.
> > > > > > > > >
> > > > > > > > > As there were multiple issues to be fixed in this sensor and \
> > > > > > > > > aligned with the change windows, we have rebuilded this sensor, \
> > > > > > > > > However everything went smooth, at the end after adding the sensor \
> > > > > > > > > to the masters salt configuration,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > rule update is not changing to salt update.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > $ ls -l /etc/cron.d/
> > > > > > > > >
> > > > > > > > > total 44
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 288 Jun 20 2010 anacron
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 258 Aug 28 20:39 bro
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 224 Jan 1 2014 capme
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 209 Oct 12 23:06 elsa
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 308 May 25 2013 nsm-watchdog
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 544 Sep 12 2012 php5
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 384 Oct 12 23:06 rule-update (this part is \
> > > > > > > > > not changing to salt-update)
> > > > > > > > > -rw-r--r-- 1 root root 234 Aug 28 20:39 sensor-clean
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 823 Aug 13 18:34 sensor-newday
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 248 Oct 19 2012 sguil-db-purge
> > > > > > > > >
> > > > > > > > > -rw-r--r-- 1 root root 403 Oct 13 2013 squert-ip2c
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > And also when trying this (rule update without password)
> > > > > > > > >
> > > > > > > > > https://groups.google.com/forum/#!searchin/security-onion/asking$20password|sort:relevance/security-onion/-scFibM9MwA/HBGa95djgeYJ
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > pubic Key is getting added to the authorized keys, but still asking \
> > > > > > > > > for password.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Which also results in ELSA processing its required updates to \
> > > > > > > > > master.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Request your suggestion here.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Satya
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > > Follow Security Onion on Twitter!
> > > > > > > > >
> > > > > > > > > https://twitter.com/securityonion
> > > > > > > > >
> > > > > > > > > ---
> > > > > > > > >
> > > > > > > > > You received this message because you are subscribed to the Google \
> > > > > > > > > Groups "security-onion" group.
> > > > > > > > > To unsubscribe from this group and stop receiving emails from it, \
> > > > > > > > > send an email to security-onio...@googlegroups.com.
> > > > > > > > > To post to this group, send email to securit...@googlegroups.com.
> > > > > > > > >
> > > > > > > > > Visit this group at https://groups.google.com/group/security-onion.
> > > > > > > > >
> > > > > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > > > > >
> > > > > > > > Yes, I am able to SSH in to the server, with those credentials.
> > > > > > > > also see the Securityonion.pub key getting copied to the authorized \
> > > > > > > > keys in the destination server (Master).(when using this command \
> > > > > > > > "ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME")
> > > > > > > > But at the time of logging in when giving "ssh -i "$KEY" \
> > > > > > > > $SSH_USERNAME@$SERVERNAME" command, it still prompts for a password, \
> > > > > > > > rather than logging with the help of the key.
> > > > > > > > Thanks,
> > > > > > > > Satya.
> > > > > > >
> > > > > > > Check the authorized_keys on the master, in \
> > > > > > > /home/$SENSORUSER/.ssh/authorized_keys.
> > > > > > > Does it match what is present on the sensor, in \
> > > > > > > /root/.ssh/securityonion.pub?
> > > > > > > Thanks,
> > > > > > > Wes
> > > > > >
> > > > > > Hi Wes,
> > > > > >
> > > > > > Yes it does, key residing in both the locations is same,
> > > > > > in fact when i repeat the command to copy the key, same key is getting \
> > > > > > appended in authorized keys. Also tried generating new key pair in \
> > > > > > sensor and cleared the existing keys in authorized keys in master, then \
> > > > > > repeated the process, but the result seems to be the same.
> > > > > > Thanks,
> > > > > > Satya.
> > > > >
> > > > > Have you tried checking /var/log/nsm/sosetup.log for clues?
> > > > >
> > > > > Have you tried ensuring permissions are correct and that you are trying to \
> > > > > login with the correct user?
> > > > > https://unix.stackexchange.com/questions/36540/why-am-i-still-getting-a-password-prompt-with-ssh-with-public-key-authentication
> > > > >
> > > > > Thanks,
> > > > > Wes
> > > >
> > > > Hi Wes,
> > > >
> > > > I Ensured there are sufficient permissions for the authorized keys.
> > > > Checked sosetup.log couldnt find much different.
> > > > But actually when sensor installation was in process, we initially gave the \
> > > > wrong master IP, then after the setup was finished, we updated manually the \
> > > > actual master IP, where-all required. Assuming the above may not be impacting \
> > > > this issue, but just want to confirm.
> > > > Regards,
> > > > Satya.
> > >
> > > If you had to manually update the IP of the master, I would re-run setup on the \
> > > sensor.
> > > Thanks,
> > > Wes
> >
> > Hi Wes,
> >
> > We did re-run the setup, but the rule update part remains the same.
> >
> > Is there anything we can do?
> >
> > Thanks,
> > Satya.
>
> If you have already followed the previous procedure (in regard to keys, etc) and \
> have not had success, it may be quicker and easier to reinstall from the ISO or \
> packages and then try re-running setup for the sensor.
> Thanks,
> Wes
HI Wes,
Thanks for your time.
Now we see the authentication happening through the key.
Issue was permissions applied to .ssh/ and Authorized keys and also the owner for the \
folder of the user account for the sensor in the master.
Thanks,
Satya.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic