Problem: (1) At least
one plugin is unable to authenticate and logon to our Linux servers using SSH
keys OR (2) SSH authentication is
working but system identification is not. A similar problem was first
reported here by Thomas Nguyen Van on Monday, January 15, 2007 (see below).
Symptoms: Incorrect system identification. This week, Nessus began identifying fully-patched RHEL4 servers
as Fedora Core servers with missing Fedora patches.
Doing 'tail
–f /var/log/secure' on the target server during the scan, we saw
the following:
Did not
receive identification string from ::ffff:<scanner_ip>
Accepted
publickey for secops from ::ffff:<scanner_ip>
port 53100 ssh2
Accepted
publickey for secops from ::ffff:<scanner_ip>
port 53100 ssh2
Plugin 11936 reports: Nessus was not able to reliably identify the remote
operating system. It might be: Linux Kernel 2.4…
Plugin 12634 reports: It was possible to log into the remote host using the
supplied asymetric keys...The remote Red Hat system is : Red Hat Enterprise Linux ES
release 4 (Nahant Update 4)
Local security checks are being performed,
which also indicates that SSH key authentication is working in some cases;
however, as mentioned above, local security checks report missing Fedora Core
packages.
Environment:
²
Direct
feed subscriber
²
Plugins are
updated every day
²
Using NessusClient 1.0.1 (batch mode) with Nessus 3.0.4
²
Using Static
configuration files that never change
²
SSH
credentials are provided using settings:
SSH settings[entry]:SSH user
name : = <account_name>
SSH settings[file]:SSH
public key to use : = <account_pub_key>
SSH settings[file]:SSH
private key to use : = <accont_priv_key>
²
SSH keys
have correct ownership and permissions
²
SSH keys
do not require passphrases
²
SSH keys
are in /home/<account_name>/.ssh/authorized_keys
on all hosts
²
SSH key
authentication has been working flawlessly in our environment for nearly 2
years
²
SSH key
rotation last occurred one year ago
²
KB is
not re-used between scans
Troubleshooting:
All scans were performed from the same Nessus Client using the same configuration
and the same target server:
²
Installed
a fresh copy of Nessus on a
different server. Did not register. Type of plugin feed: Release. Plugin
feed version: 200701050232 (newest plugin is January 4, 2007). Performed
the same scan. Problem
did not occur.
²
Registered
Nessus. Performed
nessus-update-plugins. Type of plugin feed: Registered (7 days
delay). Plugin feed version: 200701191815. Performed the same
scan. Problem
did not occur.
²
Used NORMAL scanning server. Type of plugin feed: Direct.
Plugin feed version: 200701190315. Performed the same scan. Problem occurred.
²
Used NORMAL scanning server. Type of plugin feed:
Direct. Plugin feed version: 200701191815. Performed the same
scan. Problem
occurred.
- John
Scherff
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org] On Behalf Of Thomas Nguyen Van
Sent: Monday, January 15, 2007
4:12 AM
To: 'Renaud Deraison'; Nessus List
Subject: RE: SSH Credentials
problem
Good morning Arnaud,
Happy new year and wish you the best for 2007 !
Actually, I scanned with the latest Nessus version 3.0.4 but results were still the same
and plugins were up2date.
To sum up, I scanned solaris servers in different
configurations:
1 - SSH login + password: OK
2 - SSH login + private/public keys
+ passphrase: Failed
Actually, I don't know how to increase the debugging
level so that I can see the credentials exchange between Nessus
scanner and its targets.
Do you have a clue, please?
Thomas Nguyen Van (CEH) | OneIT Technical Security
Consultant | OneIT Operations | BT |
E: thomas.nguyenvan@bt.com |Mobile:
+353 86 1720 692 | Fax: +353 1 432 5899| www.btireland.com
-----Original Message-----
From: Renaud Deraison [mailto:deraison@nessus.org]
Sent: 20 December 2006 13:05
To: Thomas Nguyen Van; Nessus List
Subject: Re: SSH Credentials
problem
On Dec 19, 2006, at 5:26 PM, Thomas Nguyen Van wrote:
>
> Good afternoon,
>
> In addition to my previous
mail of today, I would like to add those
> information:
Once again : Are your plugins up-to-date ??
-- Renaud
BT Communications Ireland Limited
is a wholly owned subsidiary of BT
Group plc
Registered in Ireland,
Registration No. 141524
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland
This electronic message contains information (and may
contain files) from BT Communications Ireland Limited which may be privileged
or confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended recipient be
aware that any disclosure, copying, distribution or use of the contents of this
information and or files is prohibited. If you have received this electronic
message in error, please notify us by telephone or email (to the numbers or
address above) immediately. http://www.btireland.ie