RE: SSH Credentials problem

Follow-up (see below): I see a large number of "<service> depends on
find_service.nes which could not be found" in the nessusd.messages log
file.  I do not see this same error when scanning from a
freshly-installed server.  I see it only on the 'direct-feed' server.

 

________________________________

From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of John Scherff
Sent: Friday, January 19, 2007 5:22 PM
To: Nessus List
Subject: RE: SSH Credentials problem

 

Problem:  (1) At least one plugin is unable to authenticate and logon to
our Linux servers using SSH keys OR (2) SSH authentication is working
but system identification is not.  A similar problem was first reported
here by Thomas Nguyen Van on Monday, January 15, 2007 (see below).

 

Symptoms:  Incorrect system identification.  This week, Nessus began
identifying fully-patched RHEL4 servers as Fedora Core servers with
missing Fedora patches.  

 

Doing 'tail -f /var/log/secure' on the target server during the scan, we
saw the following: 

 

Did not receive identification string from ::ffff:<scanner_ip>

Accepted publickey for secops from ::ffff:<scanner_ip> port 53100 ssh2

Accepted publickey for secops from ::ffff:<scanner_ip> port 53100 ssh2

 

Plugin 11936 reports: Nessus was not able to reliably identify the
remote operating system. It might be: Linux Kernel 2.4...

 

Plugin 12634 reports: It was possible to log into the remote host using
the supplied asymetric keys...The remote Red Hat system is : Red Hat
Enterprise Linux ES release 4 (Nahant Update 4)

 

Local security checks are being performed, which also indicates that SSH
key authentication is working in some cases; however, as mentioned
above, local security checks report missing Fedora Core packages.

 

Environment:

 

*      Direct feed subscriber

*      Plugins are updated every day

*      Using NessusClient 1.0.1 (batch mode) with Nessus 3.0.4

*      Using Static configuration files that never change

*      SSH credentials are provided using settings:

SSH settings[entry]:SSH user name : = <account_name>

SSH settings[file]:SSH public key to use : = <account_pub_key>

SSH settings[file]:SSH private key to use : = <accont_priv_key>

*      SSH keys have correct ownership and permissions

*      SSH keys do not require passphrases

*      SSH keys are in /home/<account_name>/.ssh/authorized_keys on all
hosts

*      SSH key authentication has been working flawlessly in our
environment for nearly 2 years

*      SSH key rotation last occurred one year ago

*      KB is not re-used between scans

 

Troubleshooting:

 

All scans were performed from the same Nessus Client using the same
configuration and the same target server:

 

*      Installed a fresh copy of Nessus on a different server. Did not
register. Type of plugin feed: Release.  Plugin feed version:
200701050232 (newest plugin is January 4, 2007).  Performed the same
scan.  Problem did not occur.

*      Registered Nessus. Performed nessus-update-plugins.  Type of
plugin feed: Registered (7 days delay).  Plugin feed version:
200701191815.  Performed the same scan.  Problem did not occur.

*      Used NORMAL scanning server.  Type of plugin feed: Direct.
Plugin feed version: 200701190315.  Performed the same scan.  Problem
occurred.

*      Used NORMAL scanning server.  Type of plugin feed: Direct.
Plugin feed version: 200701191815.  Performed the same scan.  Problem
occurred.

 

- John Scherff

 

________________________________

From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Thomas Nguyen Van
Sent: Monday, January 15, 2007 4:12 AM
To: 'Renaud Deraison'; Nessus List
Subject: RE: SSH Credentials problem

 

Good morning Arnaud, 

Happy new year and wish you the best for 2007 ! 

Actually, I scanned with the latest Nessus version 3.0.4 but results
were still the same and plugins were up2date. 

To sum up, I scanned solaris servers in different configurations: 
1 - SSH login + password: OK 
2 - SSH login + private/public keys + passphrase: Failed 

Actually, I don't know how to increase the debugging level so that I can
see the credentials exchange between Nessus scanner and its targets.

Do you have a clue, please? 

Thomas Nguyen Van (CEH) | OneIT Technical Security Consultant | OneIT
Operations | BT |  
E: thomas.nguyenvan@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432
5899| www.btireland.com 

 

-----Original Message----- 
From: Renaud Deraison [mailto:deraison@nessus.org] 
Sent: 20 December 2006 13:05 
To: Thomas Nguyen Van; Nessus List 
Subject: Re: SSH Credentials problem 

 

On Dec 19, 2006, at 5:26 PM, Thomas Nguyen Van wrote: 

> Good afternoon, 
>
> In addition to my previous mail of today, I would like to add those 
> information: 

Once again : Are your plugins up-to-date ?? 

 

                                        -- Renaud 

 

BT Communications Ireland Limited 
is a wholly owned subsidiary of BT Group plc 
Registered in Ireland, Registration No. 141524 
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland 

This electronic message contains information (and may contain files)
from BT Communications Ireland Limited which may be privileged or
confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended
recipient be aware that any disclosure, copying, distribution or use of
the contents of this information and or files is prohibited. If you have
received this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.
http://www.btireland.ie

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus