After successful SSH authentication Linux Discovery failing (gMSA MID Server + SSH Private Key)

SiddiqB
Tera Contributor

3 weeks ago

Hi Team,

I am facing an issue with Linux Discovery using SSH Private Key via a gMSA-based Windows MID Server.

1. Current Setup

  • MID Server: AWSMID (running with gMSA account - windows mid server)
  • Authentication: SSH Private Key
  • Target: Ubuntu 22.04 server
  • SSH Key format: RSA (BEGIN RSA PRIVATE KEY)
  • Credential configured in ServiceNow

     

2. Validation Results

  • Manual SSH from MID server (PowerShell):

ssh -i "C:\SSH\sn_mid_rsa" mid_account@<IP> ( 
Successfully connects)
 
3. ServiceNow Credential Test: SiddiqB_1-1780926967007.png

 

 Credential validated successfully
 
4. Discovery starts but fails during classification.

Errors observed in Discovery log:

 
  • SSHTerminalInteractiveCommand: failed to execute
  • cli_commands: show vmdevice
  • Active, couldn't classify, now finished
  • SSH authentication or connection failure

5. MID Server Log Errors

Found repeated errors like:

  • Cloud credentials are missing 
  • Unable to generate temporary credentials
  • sts:AssumeRole → AccessDenied
Labels:
0 Helpfuls
  • 262 Views
1 REPLY 1

shubhamseth
Giga Sage

3 weeks ago

@SiddiqB As per me, you can give try on below: 

 

The issue is most likely caused by the SSH shell session not being fully interactive for Discovery command execution, even though authentication is successful.

 

Main indicators:

  • Manual SSH works

  • Credential test passes

  • Discovery fails during classification

  • Error:
    SSHTerminalInteractiveCommand: failed to execute

This commonly happens in gMSA-based Windows MID setups when:

  • the MID Server Java service cannot properly use the SSH private key/session for interactive command execution

  • or the Linux account does not allow proper PTY/sudo/shell execution required by Discovery

Exact Fix / Solution

 

1. Configure Passwordless Sudo for Discovery Account

On Ubuntu server:

sudo visudo

Add:

mid_account ALL=(ALL) NOPASSWD: ALL

2. Ensure Shell is Bash

Run:

grep mid_account /etc/passwd

Shell should be:

/bin/bash

NOT:

  • /sbin/nologin

  • restricted shell

3. Enable PTY in SSHD

Edit:

/etc/ssh/sshd_config

Ensure:

PermitTTY yes

Then restart SSH:

sudo systemctl restart sshd

4. Give gMSA Read Access to Private Key

On MID Server:

  • Ensure MID Server service account (gMSA) has read access to:
    C:\SSH\sn_mid_rsa

5. Retry Discovery

After changes:

  • Restart MID Server service

  • Clear old Discovery status

  • Re-run Discovery

 

Important Note

The AWS AssumeRole AccessDenied errors are unrelated cloud credential issues and NOT the root cause of Linux Discovery failure.

 

Hope this helps.

 

 

Issue resolved? → Mark as Correct


Found value? → Mark as Helpful


0 Helpfuls