Highlighted
Absent Member.
Absent Member.
4045 views

How to disable the challenge/response on SSH connections

Want to login to your own boxes (Connector, Logger, etc) without having to call ArcSight and get permission from them? Here's how you can do it:

1) SSH as root into the box using the current c/r scheme

2) edit the passwd file

     # vi /etc/passwd

3) Change the root parameters (first line, starts with "root")

     From:

     root:x:0:0:root:/root:/bin/limited_shell

     To:

     root:x:0:0:root:/root:/bin/bash

4) save and exit (esc, wq!)

5) unlock root account

     # passwd -u root

6) give root a password

     # passwd

7) lock the files so the ArcSight subprocesses can't undo your change

     # chattr +i /etc/passwd /etc/shadow

There's a bit of a race condition doing it this way. The safer way is to shutdown the ArcSight APS subprocess first.

     # /opt/local/monit/bin/monit stop aps

Or go all out and shut everything down

     # /opt/local/monit/bin/monit stop all

Restart with:

     #  /opt/local/monit/bin/monit start aps

or

     #  /opt/local/monit/bin/monit start all

Labels (2)
20 Replies
Highlighted
Absent Member.
Absent Member.

Great stuff, thanks for sharing!

0 Likes
Highlighted
Absent Member.
Absent Member.

Such a method could result in actions that may void our customer’s product warranty. HP ArcSight recommends that customers follow the official Technical Support process to obtain an authorization code to access their appliances. HP welcomes the ArcSight community to provide constructive feedback to help improving our processes in support of your needs for SSH access to ArcSight appliances.

HP ArcSight Product Management

0 Likes
Highlighted
Absent Member.
Absent Member.

Express Appliances have root access out-of-the box. Why ConnApp don't?

Highlighted
Absent Member.
Absent Member.

I'd wager that HP would say that on the Express systems the OS is under the client's control but with the ConApp they cover that as they have "tuned it to support better operation of the appliance." Of course, those of us who actually use and understand the product knows that their tuning is nothing but a hassle.

0 Likes
Highlighted
Absent Member.
Absent Member.

While I understand HP's stance on the modifications I mentioned, there are no steps listed that actually affect the operation or functionality of the ArcSight application. This procedure only allow us to more easily troubleshoot a highly buggy system. This is needed as since HP took over support for ArcSight it has been an unbearable mess. Level 1 and 2 support have a very slight grasp of the application and 0 background in Linux, which is the foundation of all the ArcSight appliances. I've spoken to many ArcSight technicians and they themselves note that lack of understanding their team has. I've closed 85% of my trouble tickets myself. I have a few tickets still opened, for over 4 months, which is surprising because the support tickets have an auto-close setting that kicks in after a week of non-updates (this has been verified by an ArcSight engineer who still works at HP). Now it is generally known that HP has some of the worst technical support around but to make us call in and wait 20 minutes for a code to be able to login to our own systems so we can fix it ourselves is just insane, a feeling shared by your own technical support team.

BTW: my next update is how to make the console connection actually useful vs the ridiculous 10 function system  HP provides that doesn't allow you to fix your systems at all. In fact I'll even note the reason why HP has broken their own system and in some cases made irreparable, because of this.

Highlighted
Honored Contributor.
Honored Contributor.

I'd be curious to know just how many times support has declined a challenge request (it's not like they ask any questions when you request one...).  I'm willing to bet it's very few if not flat out zero.  The whole process always seemed like an unnecessary step to me.

0 Likes
Highlighted
Absent Member.
Absent Member.

I've never had them decline a request but I've been on hold for 20+ minutes just to get one (though one call I wasn't on hold but listening to two engineers try to figure out how to generate the code). And the UK and US support teams have different procedures when you ask for one. If it was absolutely necessary, which it's not, they could at least put the code request on the support portal so we could login and just get it that way. then we could get it quick and the support team can address issues more directly.

Highlighted
Absent Member.
Absent Member.

IMG_20130618_093744_655.jpg

Just needed a challenge response code......

Highlighted
Super Contributor.
Super Contributor.

I have to agree this process of calling in every single time to get a code just so you can access the system you bought is insane.  You may as well just buy a software logger its cheaper and then you have all the access you want.

And then the challenge is only good for so long.

Insanity

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

All,

Please be aware that following the steps here on the current releases of Logger and CA causes the authentication to fail open. Effectively any password you give for the root user will be accepted. We attempted several work arounds along these lines without success. It appears that ArcSight has hijacked the SSH authentication somehow. Our guess is in a custom implementation of the SSH Daemon. SSH Authentication is definitely bypassing PAM at this point. SU and SUDO still use PAM for authentication, but SSH does not.

Regards,

Brook Watson

ThetaPoint, Inc.

Highlighted
Absent Member.
Absent Member.

We found exactly the same Brook ... def seems like they've got their own SSHD setup that doesn't use PAM.

Still working on it 😉

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.