Honored Contributor.. dhartman Honored Contributor..
Honored Contributor..

Re: How to disable the challenge/response on SSH connections

Im getting close, i just cant figure out how to keep the arcsight ssh from dying after i modify /etc/pam.d/sshd

https://protect724.arcsight.com/message/42750

0 Likes
Honored Contributor.. dhartman Honored Contributor..
Honored Contributor..

Re: How to disable the challenge/response on SSH connections

With the help of everyone on this thread and the others, I was finally able to get it to work on the latest version of Logger and ConApp.  I will preface this by saying I am sure there is much better ways of doing this as I am by no means a linux guru, and by posting this here I have a feeling the next versions of firmware will disable this functionality.  If you have any tips\suggestions\ please share as I am sure this process can be improved:

How to gain ssh and full serial console access on appliances *USE AT YOUR OWN RISK, NOT APPROVED\CONDONED\SUPPORTED by HP*:

Logger Serial Login(Tested on 5.3.1.6838.0):

cp /opt/arcsight/cli/cli.sh /opt/arcsight/cli/cli.sh.org

vi /opt/arcsight/cli/cli.sh

###comment out (#) the last line $JAVA_HOME...###

###Add the line /bin/bash below it and save###

chattr +i /opt/arcsight/cli/cli.sh

cp /etc/securetty /etc/securetty.org

vi /etc/securetty

### Add ttyS0 to the end and save###

init q

### In your serial session just do a control C to kill the shell you are in to get to bash###

ConApp Serial Login (Tested on 6.3.0.6386.0):

cp /opt/arcsight/cli/cli.sh /opt/arcsight/cli/cli.sh.org

vi /opt/arcsight/cli/cli.sh

### Comment everything out and add /bin/bash to the end and save###

chattr +i /opt/arcsight/cli/cli.sh

cp /etc/securetty /etc/securetty.org

vi /etc/securetty

### Add ttyS0 to the end and save###

init q

### In your serial session just do a control C to kill the shell you are in to get to bash###

Enable root login for ConnApp and Logger (copy and paste this quickly or else the overlord script will overwrite before finish typing):

/opt/local/monit/bin/monit stop aps

cp /etc/passwd etc/passwd.org

cp /etc/shadow etc/shadow.org     

chsh -s /bin/bash root

passwd -u root

echo "root:InsertWhateverPasswordYouWantHere" | chpasswd

chattr +i /etc/passwd /etc/shadow

/opt/local/monit/bin/monit start aps

   

Enforce root login to verify the validity of it's password via ssh for ConnApp and Logger:

mv /etc/pam.d/sshd /etc/pam.d/sshd.org

cp /etc/pam.d/system-auth /etc/pam.d/sshd

chattr +i /etc/pam.d/sshd

   

Set SSH to start\restart automatically (since the above for some reason stops ssh from auto-starting and the arcsight processes kill it, tried adding a startup script for sshd to init but couldnt get that to work):

crontab -e

*/5 * * * * /opt/local/openssh/sbin/sshd

Special thanks to , , and for their posts which I pieced this together from.

Honored Contributor.. dhartman Honored Contributor..
Honored Contributor..

Re: How to disable the challenge/response on SSH connections

FYI before upgrading to Logger 5.5 see the note I posted about the cli.sh RPM cosmetic error

0 Likes
Highlighted
Codefire1 Absent Member.
Absent Member.

Re: How to disable the challenge/response on SSH connections

I don't have access to a test box right now and this may seem like a simple question but has anyone tried just installing a stock openssh and running it on a different port?

0 Likes
Honored Contributor.. dhartman Honored Contributor..
Honored Contributor..

Re: How to disable the challenge/response on SSH connections

yes, there is another thread on here where they talked about how that used to work, but on the latest versions the "Arcsight Overlord" process kills it.

0 Likes
vluiz1
New Member.

Re: How to disable the challenge/response on SSH connections

Logger 6.0 no longer has the challenge-response process. Make the upgrade and it is possible to log in to Logger CLI using a password.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: How to disable the challenge/response on SSH connections

The ConApp upgrade to ArcMc eliminated this as well. 

0 Likes
Samour Trusted Contributor.
Trusted Contributor.

Re: How to disable the challenge/response on SSH connections

Actually the ArcMC upgrade doesn't eliminate it.

You need a new license as well.

For Logger just the upgrade is sufficient.

0 Likes
superman Respected Contributor.
Respected Contributor.

Re: How to disable the challenge/response on SSH connections

HP has a goal to improve ArcSight Software by learning the reasons for which customer have obtain shell access to appliances.

ArcSight Administrators value their time and prefer to have immediate access to the Connector or Logger appliances through SSH.  And willing to invest substantial amounts of time in obtaining permanent access to the ArcSight Appliances using SSH,  which will save and thus provide efficiency in the future …

Here are my 2 cents on how to obtain permanent access to HP ArcSight Appliances without circumventing or tampering with the security controls imposed by HP ArcSight on the access and authentication to the appliances.   Add an independent access and authentication daemon to the connector appliance that uses PAM or other authentication daemons of your choice and use stronger encryption that original SSH daemon.

Example 1.  Compile new ssh server daemon and run it on port 2200, use only key authention

Download source code from a trusted location or install the “-dev” RPM for CentOS.

Source location Example - ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/

Install

./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --with-ldflags=-Wl,-O1 -Wl,--as-needed --disable-strip --with-pid-dir=/run --sysconfdir=/etc/ssh --libexecdir=/usr/lib64/misc --datadir=/usr/share/openssh --with-privsep-path=/var/empty --with-privsep-user=sshd --without-kerberos5 --without-ldns --without-libedit --with-pam --with-pie --without-sctp --without-selinux --without-skey --without-ssh1 --with-openssl --with-md5-passwords --with-ssl-engine

make

make install

Change config to add port of your choice – 2200

Change use_PAM = Yes

Change Ciphers to use only ciphers you like ( aes192 or perhaps aes256)

Review release notes

http://www.openssh.com/txt/release-7.1

on client side, quick guide to generate keys  -

https://git-scm.com/book/en/v2/Git-on-the-Server-Generating-Your-SSH-Public-Key

https://wiki.gentoo.org/wiki/SSH

hope this helped somebody to have a great day …

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.