RE: SSH Credentials problem

> > You could try un-commenting that entry and re-starting sshd before
doing the scan.

 

I meant to say, un-comment that entry and change the parameter from
'yes' to 'no'.

 

________________________________

From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of John Scherff
Sent: Tuesday, January 16, 2007 10:32 AM
To: Thomas Nguyen Van; nessus@list.nessus.org
Subject: RE: SSH Credentials problem

 

Thomas,

 

Generally, items that are commented out in sshd_config are shown with
their default settings.  This probably means your sshd is doing
reverse-map checking.  You could try un-commenting that entry and
re-starting sshd before doing the scan.

 

On top of that, ReverseMappingCheck has been deprecated, so either your
sshd is old (bad) or your config file is just a carry-over from an old
version (not-so-bad).  You should definitely check your version of sshd
and apply any available patches.  There are a few things you can get
away with not patching for a long time, but SSH ain't one of them.

 

Finally, you could also try putting your scanning server in /etc/hosts.

 

And I definitely concur with Ron Gula on putting sshd into debug mode
for troubleshooting purposes.

 

Good luck,

 

John

 

 

 

 

________________________________

From: Thomas Nguyen Van [mailto:thomas.nguyenvan@bt.com] 
Sent: Tuesday, January 16, 2007 6:35 AM
To: John Scherff; nessus@list.nessus.org
Subject: RE: SSH Credentials problem

 

Afternoon John,

 

Sorry for the delay and below my answers to your questions in green.

 

Thanks for all.

Thomas Nguyen Van (CEH) | OneIT Technical Security Consultant | OneIT
Operations | BT | 
E: thomas.nguyenvan@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432
5899| www.btireland.com 

        -----Original Message-----
        From: John Scherff [mailto:JScherff@24hourfit.com] 
        Sent: 15 January 2007 18:14
        To: Thomas Nguyen Van; nessus@list.nessus.org
        Subject: RE: SSH Credentials problem

        Thomas,

         

        Does your Nessus scanner have a PTR record (reverse-map entry)
in the DNS?  

        > There is no PTR record and no DNS is defined.

                > cat /etc/hosts
                # Do not remove the following line, or various programs
                # that require network functionality will fail.
                127.0.0.1       myserver localhost.localdomain localhost

         Some implementations of sshd have a bug wherein you can't turn
off reverse-map checking (setting 'ReverseMappingCheck' to 'no' in the
sshd_config file has no effect). 

                > grep -i "reverse" /etc/ssh/sshd_config
                #ReverseMappingCheck yes 

         

        Also, are you doing anything with TCP wrappers on the target? 

                > I'm not familiar with TCP wrappers. Could you precise
your idea, please?

         

        John Scherff

         

         

         

        
________________________________


        From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Thomas Nguyen Van
        Sent: Tuesday, December 19, 2006 8:26 AM
        To: 'nessus@list.nessus.org'
        Subject: RE: SSH Credentials problem

         

         

        Good afternoon, 

        In addition to my previous mail of today, I would like to add
those information: 

        We did the following tests: 
        Test 1 - Manual SSH connection to IP_Nessus_Target with
password: Ok 
        Test 2 - Manual SSH connection to IP_Nessus_Target with
public/private keys: Ok 
        Test 3 - Nessus SSH connection to IP_Nessus_Target with
password: Ok 
        Test 4 - Nessus SSH connection to IP_Nessus_Target with
public/private keys: Failed 

        The analyse of the /var/adm/messages file on IP_Nessus_Target
showed that: 
        Dec 19 16:05:55 IP_Nessus_Target sshd[13422]: [ID 800047
auth.info] Did not receive ident string from IP_Nessus_Scanner.

        Dec 19 16:05:56 IP_Nessus_Target sshd[13423]: [ID 800047
auth.info] Could not reverse map address IP_Nessus_Scanner. 
        Dec 19 16:05:56 IP_Nessus_Target sshd[13423]: [ID 800047
auth.info] Connection closed by IP_Nessus_Scanner 
        Dec 19 16:06:01 IP_Nessus_Target sshd[13424]: [ID 800047
auth.info] Could not reverse map address IP_Nessus_Scanner. 
        Dec 19 16:06:01 IP_Nessus_Target sshd[13424]: [ID 800047
auth.info] Connection closed by IP_Nessus_Scanner 
        Dec 19 16:06:01 IP_Nessus_Target sshd[13425]: [ID 800047
auth.info] Did not receive ident string from IP_Nessus_Scanner.

         

        Do you know why I read the message "Did not receive ident string
from IP_Nessus_Scanner." on the Nessus_Target? 

        Many thanks in advance 
        Regards, 
        Thomas 

        -----Original Message----- 
        From: Thomas Nguyen Van 
        Sent: 19 December 2006 13:04 
        To: 'nessus@list.nessus.org' 
        Subject: SSH Credentials problem 

         

        Good afternoon, 

        I checked your Nessus' FAQ before calling you
(http://mail.nessus.org/pipermail/nessus/2006-September/msg00186.html)
and I have quiet the same problem as JeanPaul.

        Actually, I activated the plugins "Local Checks Failed" (21745)
and scanned a solaris server. On the /var/log/message file, I can see
that nessus account was able to connect on the target server:

                Dec 19 13:01:09 Server_Target sshd[7724]: [ID 800047
auth.info] Accepted publickey for nessus_account from nessus_server port
56364 ssh2

        However, when I checked the .nbe file, I got the error message
associated to the plugin 21745 and I can't get any information like
security holes or general information with the plugin 12634.

        I would really appreciate a clue to understand what happened. 

        Thanks a million 

        Thomas 

         

        BT Communications Ireland Limited 
        is a wholly owned subsidiary of BT Group plc 
        Registered in Ireland, Registration No. 141524 
        Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland 

        This electronic message contains information (and may contain
files) from BT Communications Ireland Limited which may be privileged or
confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended
recipient be aware that any disclosure, copying, distribution or use of
the contents of this information and or files is prohibited. If you have
received this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.
http://www.btireland.ie




BT Communications Ireland Limited 

is a wholly owned subsidiary of BT Group plc 

Registered in Ireland, Registration No. 141524 

Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland 


This electronic message contains information (and may contain files)
from BT Communications Ireland Limited which may be privileged or
confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended
recipient be aware that any disclosure, copying, distribution or use of
the contents of this information and or files is prohibited. If you have
received this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.
http://www.btireland.ie

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus