Jeff,
This is gonna take several steps:
*
Logon to the server that will be running Nessus and do
'ssh-keygen -t dsa'. Just hit enter through all the prompts. (Entering
a pass phrase is more secure, but then you'd have to put the pass phrase
in the nessus config file in clear text, so it kinda cancels out.) Make
sure you do this from the account with which you want to access the
remote system. For brevity, let's just say this account is jcosta.
*
The above step will create a hidden .ssh directory in your home
directory (/home/jcosta/.ssh). There will be two files in there: id_dsa
(your private key) and id_dsa.pub (your public key). Copy these to
somewhere under /opt/nessus/etc (or /usr/local/nessus/etc, if you're
using 2.x.x). Make sure you set the permissions so that only the
account you run the nessus client from can read them. (Technically, you
can just leave these files in ~/.ssh, but copying them elsewhere
protects you in case you have a brain fart and overwrite the keys by
running ssh-keygen again.)
*
On each target system (the ones to be scanned), create a .ssh
directory within the home directory of the same user, jcosta
(/home/jcosta/.ssh). Create (touch) a file named authorized_keys and
then chmod 600 authorized_keys. Copy (scp) the file
/home/jcosta/.ssh/id_dsa.pub from the scanning server and do cat
id_dsa.pub >> authorized_keys. (Or you could just do ssh nessus_server
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys && chmod 600
~/.ssh/authorized_keys.)
*
Next, on the scanning server, in your ~/.nessusrc file, find the
below entries and enter the path to the public and private SSH keys you
copied from your ~/.ssh directory. E.g., if you copied id_dsa and
id_dsa.pub from /home/jcosta/.ssh to /opt/nessus/etc/keys, then these
entries would look like this:
SSH settings[file]:SSH public key to use : =
/opt/nessus/etc/keys/id_dsa.pub
SSH settings[file]:SSH private key to use : =
/opt/nessus/etc/keys/id_dsa
*
Run your scan. (Note: I don't use the GUI. I use the
command-line client and point to a config file with the -c option. I use
George Theall's excellent update-nessusrc script to keep my config files
up-to-date.)
There's probably a cleaner, faster, more elegant, more hip way to do
this, but my way works for me.
Good luck.
John
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Costa, Jeff
Sent: Thursday, December 15, 2005 9:50 AM
To: nessus@list.nessus.org
Subject: Enabling SSH login
The Nessus 3.0 Advanced User Guide states: "Nessus has the
ability to log into both UNIX and Windows machines using SSH. This means
that Nessus has the ability to use the local system to query itself for
version information."
How does one enable this functionality?
Is it an attribute of a specific plugin that needs to be added?
Is it something I set in the NessusWX client?
________________________________
"This email (including any attachments) is confidential. If you
are not the intended recipient you must not copy, use, disclose,
distribute or rely on the information contained in it. If you have
received this email in error, please notify the sender immediately by
reply email and delete the email from your system. Confidentiality and
legal privilege attached to this communication are not waived or lost by
reason of mistaken delivery to you. Lend Lease does not guarantee that
this email or the attachment(s) are unaffected by computer virus,
corruption or other defects. Lend Lease may monitor incoming and
outgoing emails for compliance with its Email Policy. Please note that
our servers may not be located in your country."
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
