How to disable the challenge/response on SSH connections
Want to login to your own boxes (Connector, Logger, etc) without having to call ArcSight and get permission from them? Here's how you can do it:
1) SSH as root into the box using the current c/r scheme
2) edit the passwd file
# vi /etc/passwd
3) Change the root parameters (first line, starts with "root")
4) save and exit (esc, wq!)
5) unlock root account
# passwd -u root
6) give root a password
7) lock the files so the ArcSight subprocesses can't undo your change
# chattr +i /etc/passwd /etc/shadow
There's a bit of a race condition doing it this way. The safer way is to shutdown the ArcSight APS subprocess first.
# /opt/local/monit/bin/monit stop aps
Or go all out and shut everything down
# /opt/local/monit/bin/monit stop all
# /opt/local/monit/bin/monit start aps
# /opt/local/monit/bin/monit start all
Such a method could result in actions that may void our customer’s product warranty. HP ArcSight recommends that customers follow the official Technical Support process to obtain an authorization code to access their appliances. HP welcomes the ArcSight community to provide constructive feedback to help improving our processes in support of your needs for SSH access to ArcSight appliances.
HP ArcSight Product Management
I'd wager that HP would say that on the Express systems the OS is under the client's control but with the ConApp they cover that as they have "tuned it to support better operation of the appliance." Of course, those of us who actually use and understand the product knows that their tuning is nothing but a hassle.
While I understand HP's stance on the modifications I mentioned, there are no steps listed that actually affect the operation or functionality of the ArcSight application. This procedure only allow us to more easily troubleshoot a highly buggy system. This is needed as since HP took over support for ArcSight it has been an unbearable mess. Level 1 and 2 support have a very slight grasp of the application and 0 background in Linux, which is the foundation of all the ArcSight appliances. I've spoken to many ArcSight technicians and they themselves note that lack of understanding their team has. I've closed 85% of my trouble tickets myself. I have a few tickets still opened, for over 4 months, which is surprising because the support tickets have an auto-close setting that kicks in after a week of non-updates (this has been verified by an ArcSight engineer who still works at HP). Now it is generally known that HP has some of the worst technical support around but to make us call in and wait 20 minutes for a code to be able to login to our own systems so we can fix it ourselves is just insane, a feeling shared by your own technical support team.
BTW: my next update is how to make the console connection actually useful vs the ridiculous 10 function system HP provides that doesn't allow you to fix your systems at all. In fact I'll even note the reason why HP has broken their own system and in some cases made irreparable, because of this.
I'd be curious to know just how many times support has declined a challenge request (it's not like they ask any questions when you request one...). I'm willing to bet it's very few if not flat out zero. The whole process always seemed like an unnecessary step to me.
I've never had them decline a request but I've been on hold for 20+ minutes just to get one (though one call I wasn't on hold but listening to two engineers try to figure out how to generate the code). And the UK and US support teams have different procedures when you ask for one. If it was absolutely necessary, which it's not, they could at least put the code request on the support portal so we could login and just get it that way. then we could get it quick and the support team can address issues more directly.
I have to agree this process of calling in every single time to get a code just so you can access the system you bought is insane. You may as well just buy a software logger its cheaper and then you have all the access you want.
And then the challenge is only good for so long.
Please be aware that following the steps here on the current releases of Logger and CA causes the authentication to fail open. Effectively any password you give for the root user will be accepted. We attempted several work arounds along these lines without success. It appears that ArcSight has hijacked the SSH authentication somehow. Our guess is in a custom implementation of the SSH Daemon. SSH Authentication is definitely bypassing PAM at this point. SU and SUDO still use PAM for authentication, but SSH does not.