Skip to content
QCecuring Documentation

Troubleshooting

Troubleshooting

Section titled “Troubleshooting”

Common issues and solutions for SSH-KLM.

Discovery Issues

Section titled “Discovery Issues”

No Keys Found

Section titled “No Keys Found”

Symptoms: Discovery scan completes but reports 0 keys

Solutions:

  1. Verify agent has read permissions:
    Terminal window
    sudo -u sshklm ls -la /home/*/.ssh/
  2. Check discovery paths in config
  3. Review agent logs:
    Terminal window
    sudo journalctl -u ssh-klm-agent | grep discovery

Scan Timeout

Section titled “Scan Timeout”

Symptoms: Discovery times out on large hosts

Solutions:

  1. Increase timeout: 
    discovery:
      timeout: 600  # 10 minutes
  2. Use incremental scans
  3. Exclude large directories

Rotation Issues

Section titled “Rotation Issues”

Rotation Failed

Section titled “Rotation Failed”

Symptoms: Key rotation fails with error

Common Causes:

  1. SSH daemon not accepting key type
  2. authorized_keys file permissions
  3. Agent connectivity issues

Solutions:

  1. Check SSH config:
    Terminal window
    grep PubkeyAcceptedKeyTypes /etc/ssh/sshd_config
  2. Fix permissions:
    Terminal window
    chmod 600 ~/.ssh/authorized_keys
    chmod 700 ~/.ssh

Locked Out After Rotation

Section titled “Locked Out After Rotation”

Symptoms: Cannot SSH after rotation

Solutions:

  1. Use rollback: 
    await client.ssh.rollbackRotation({ rotationId: 'ROT-xxx' });
  2. Access via console/out-of-band
  3. Restore from backup key

Agent Issues

Section titled “Agent Issues”

Agent Not Connecting

Section titled “Agent Not Connecting”

Symptoms: Agent shows disconnected in UI

Solutions:

  1. Check network:
    Terminal window
    curl -v https://ssh-klm.example.com/health
  2. Verify token:
    Terminal window
    sudo ssh-klm-agent verify-token
  3. Check firewall:
    Terminal window
    sudo ufw allow out 443/tcp

Agent High CPU

Section titled “Agent High CPU”

Symptoms: Agent using excessive CPU

Solutions:

  1. Increase discovery interval
  2. Exclude unnecessary paths
  3. Check for filesystem issues

API Issues

Section titled “API Issues”

401 Unauthorized

Section titled “401 Unauthorized”

Symptoms: API returns 401 errors

Solutions:

  1. Verify API key is valid
  2. Check key hasn’t expired
  3. Confirm key has required permissions

429 Rate Limited

Section titled “429 Rate Limited”

Symptoms: Requests being rejected

Solutions:

  1. Implement exponential backoff
  2. Cache responses where possible
  3. Request rate limit increase

Database Issues

Section titled “Database Issues”

Connection Errors

Section titled “Connection Errors”

Symptoms: Database connection failures

Solutions:

  1. Check PostgreSQL is running:
    Terminal window
    sudo systemctl status postgresql
  2. Verify connection string
  3. Check pg_hba.conf for access rules

Getting Help

Section titled “Getting Help”

If issues persist:

  1. Collect logs:
    Terminal window
    sudo ssh-klm-agent logs --since 1h > agent-logs.txt
  2. Check documentation
  3. Contact support with:
    • Error messages
    • Log files
    • Steps to reproduce
Section titled “Related Pages”