Configuring SSH Connections for Use in Linux Discovery Scanning
NOT AVAILABLE IN SAAS
This page describes how to configure and troubleshoot SSH connections to use them for Syteca’s Account Discovery feature, so that the system can discover Linux accounts when running Linux Discovery rules (i.e. to find Linux accounts on the target computers) and so that these accounts can then be onboarded.
The Linux scanner can discover (as configured in Linux Discovery rules):
- Either all accounts (i.e. Linux privileged, service, and application accounts).
- Or only privileged accounts (i.e. Linux non-deamon accounts that were created manually, and the “root” account).
- And any Linux accounts with public SSH keys (in either of the above cases).
Table of Contents
1. Keys in the .config File
The values of the keys can be changed by adding/modifying them in the "EkranServer.Settings.config" file, which can be found in the C:\Program Files\Ekran System\Ekran System\Server folder on the computer where Syteca Application Server is installed.
| # | Key in .config File | Description |
| 1. | <add key="LinuxScanningConnectionTimeoutSeconds" value="20" /> | For the Linux scanner (and for Unix account (SSH) secret remote password (or public SSH key) rotation) to spend a maximum of <key value> seconds connecting to one computer (i.e. be timed out). The default value is 20 seconds. The key value must be greater than or equal to 1. |
| 2. | <add key="LinuxScanningMaximumConnections" value="100" /> | For the Linux scanner to scan a maximum of <key value> concurrent TCP/IP connections. The default value is <processor_count * 4> concurrent TCP/IP connections. The key value must be greater than or equal to 1. |
| 3. | <add key="LinuxScanningPort" value="22" /> | For the system to use port <key value> for the TCP/IP connections via SSH for Linux scanning and onboarding and remote password (or public SSH key) rotation (only for Unix account (SSH) secrets). The default value is port 22. |
2. Prerequisites for Linux Discovery and Onboarding
2.1. General (for Linux Connections Using Either Passwords or SSH Keys)
a) Check that the user whose credentials are used to perform onboarding or scanning has “sudo” permissions, by running the following command:
sudo whoami
NOTE: If the output is “root”, then the user has “sudo” permissions.
b) Check that the connection timeout is specified in the Settings.config file (see the table above), in the LinuxConnectionTimeoutSeconds key (where the default value is 20 seconds).
To increase the timeout (on the computer where Syteca Application Server is installed), do the following:
• Increase the connection timeout value in the Settings.config file.
• Set the value of "Max SYN Retransmissions" in the TCP Global Parameters settings to "8" (which is equivalent to approx. 2 minutes), by running the following commands:
netsh interface tcp set global MaxSynRetransmissions=8
netsh interface tcp show global
c) Check that the Sudo service is installed on the target computer.
NOTE: It is possible to scan accounts without "sudo" permissions, but it is not possible to scan accounts with public SSH keys or onboard any type of accounts without "sudo" permissions.
d) If the user whose credentials are used to perform onboarding or scanning has Secondary User Authentication enabled on their Linux Client computer, they need to enter their user name in to the "Exclude from secondary authentication" field on the Authentication Options tab of the Configuration page.
2.2. Using Passwords for the SSH Connections
a) Check that the PasswordAuthentication setting is set to “yes” in the sshd_config file, by running the following command:
sudo nano /etc/ssh/sshd_config
b) Check that the PasswordAuthentication setting is set to “yes”, and if not, then change it to “yes” and restart the ssh service, by running the following command:
sudo systemctl reload ssh
2.3. Using Public SSH Keys for the SSH Connections
a) Open the sshd_config file, by running the following command:
sudo nano /etc/ssh/sshd_config
And check that the PubkeyAuthentication setting in the configuration file is set to “yes”, and if not, then change it to “yes”, and restart the ssh service by running the following command:
sudo systemctl reload ssh
b) Make sure passwordless sudo is configured, as follows:
• Create a new configuration file for the user you want to allow passwordless sudo for, by running the following command:
sudo nano /etc/sudoers.d/{username}-user
• Add the following line to the configuration file, and replace “{username}” with the actual username.
{username} ALL=(ALL) NOPASSWD:ALL
• Test the configuration by running the following command::
sudo -i
If the configuration file is configured correctly, you should be switched to the “root” user without being prompted for a password.
c) Check that the SSH keys and the sshd_config file on the target computer are located at "{username}/.ssh/authorized_keys".
3. Troubleshooting Errors in the Application Server Logs
The Syteca Application Server log files can either be downloaded from the Management Tool or alternatively found C:\Program Files\Ekran System\Ekran System\ServerLogs folder
3.1. Troubleshooting Errors When Using Linux Scanning
| Message in Syteca Application Server Logs | Possible Reasons | How to Fix |
| Failed to connect to the target host. Possible reasons: 1) the target host is offline; 2) the connection timeout value is low (try increasing the value in the LinuxScanningConnectionTimeoutSeconds key in the .config file), or; 3) the SSH port specified is blocked by the firewall. | The error is displayed when the target computer is either: | Either: 1. Turn the computer on.2. Increase the connection timeout value in the LinuxScanningConnectionTimeoutSeconds key in the .config file (on the computer where Syteca Application Server is installed). 3. Allow the port specified in the LinuxScanningPort in the .config file (see above) in the firewall settings on the Linux computer by using the sudo uwf enable {port}/tcp command. |
| 1. Offline. | ||
| 2. Cannot be reached with the timeout value specified. | ||
| 3. Its port is blocked by the firewall. | ||
| Invalid user credentials were specified for connection. | The error is displayed in any of the following cases: | 1. Make sure you have entered the correct credentials, and test your connection over SSH. 3. Make sure you have entered the correct credentials, and test your connection over SSH. |
| 1. An incorrect password is specified. | ||
| 2. An incorrect or non-existent username is specified. | ||
| 3. An incorrect private key is uploaded. | ||
| The connection to the target computer was refused. The SSH daemon service (sshd) is offline or uninstalled. Check it status by using the systemctl status sshd command. | Either: | 1. Make sure the OpenSSH client is installed by using the sudo apt-get install openssh-client command. 2. Make sure the sshd service is running. Check it status by using the systemctl status sshd command, and if its offline, use the sudo systemctl start sshd command. 3. Verify that the computer, which Linux Discovery is performed from, is added to the TrustedHosts list on the target computer. |
| 1. Services related to the ssh connection are offline or disabled. | ||
| 2. The computer that Syteca Application Server is installed on is not added to the TrustedHosts file on the target computer. | ||
| 3. The OpenSSH client is not installed. | ||
| Connecting to the target computer failed for an unknown reason. | Any other errors related to connection to the target computer. For example, ProxyException (Failed to establish proxy connection). | Make sure you have entered the correct credentials, and test your connection over SSH. |
| Passwordless sudo is not configured. | When trying to connect to the target computer using a public key, but passwordless sudo is not configured. | Configure passwordless sudo for a specific user, as follows: 1. Create a new configuration file using the sudo visudo -f /etc/sudoers.d/{username} command. 2. Add the following line to the configuration file, replacing “username” with the actual username: username ALL=(ALL) NOPASSWD: ALL 3. In the Terminal, verify that passwordless sudo is configured by using the sudo -i command. If you are not prompted to enter a password, then it is configured correctly. |
| An error occurred while executing an ssh command. | Internal server error while executing an ssh command on the shell. | Make sure that the sudo utility is installed on the computer. |
| Incorrect SSH key format. | A private key file in the wrong format was uploaded into the secret. | Make sure you can connect to the secret using the private key uploaded, by way of the Syteca Connection Manager. |
| An incorrect passphrase was entered for the SSH private key. | An incorrect private key passphrase was entered in the secret. | Make sure you can connect to the secret using the private key uploaded, by way of the Syteca Connection Manager. |