Saturday, August 27, 2022

QRadar: SSH to host fails with error "No ECDSA host key is known for and you have requested strict checking"

Troubleshooting

Problem

SSH and any application that uses SSH to establish connections such as SCP and RSYNC fail to connect to an unmanaged QRadar® appliance. This issue affects procedures such as copying QRadar® SFS files to patch a host to match the Console's version before adding the appliance to the deployment.

 

Symptom

The SSH connection attempt fails with the error:
 
# ssh <Remote Host IP>
ERROR: No ECDSA host key is known for <Remote Host IP> and you have requested strict checking.
ERROR: Host key verification failed.

Cause

When "strict checking" is enforced, the SSH connections to a host require the host's public host key to previously exist in the /root/.ssh/known_hosts file.
 
On older versions, the missing key entry generated a warning. The administrator could choose Y to proceed with the connection or abort it.

Environment

QRadar® 7.4.2 and later.

Resolving The Problem

  1. Log in to the host originating the SSH connection.
  2. SSH to the remote host disabling the strict checking. This will add the entry in the /root/.ssh/known_hosts file.
    Note: This command is a one-time disabling of the strict check to allow for changes to the known_hosts file. Future attempts will use strict checking.
     
    # ssh <Remote Host IP> -o StrictHostKeyChecking=no
    Warning: Permanently added '<Remove Host IP>  (ECDSA) to the list of known hosts.
    root@<Remove Host IP> 's password:
  3. SSH to the remote host and the connection is established.
     
    # ssh <Remote Host IP>

Reference:

https://www.ibm.com/support/pages/qradar-ssh-host-fails-error-no-ecdsa-host-key-known-and-you-have-requested-strict-checking

No comments:

Post a Comment