On Fri, 6 Dec 2002, Anne Carasik wrote: > I cannot for the life of me get public key/cert authentication > working on the client side of nessus. ... > Now, when I try to login, I'm still prompted for a password.
The nessus server requires both a username and a password when authenticating even if you've configured it to use public key authentication. Thus, the client will prompt you for it, although if using public key auth it can be any non-null string. On the client side, make sure your .nessusrc points cert_file, key_file, and trusted_ca to your certificate, private key, and CA certificate respectively. [NB: I believe the CA must be the same as the one that issued the server's cert, which is true if you use both nessus-mkcert and nessus-mkcert-client.] On the server side, make sure that you have set "force_pubkey_auth" and that the file users/auth/dname under the nessusd local state dir (eg, "/usr/local/var") contains the DN listed in the client's certificate (in the Subject line). I notice the format of the DN in the certificate differs from that reported by the command "openssl x509 -noout -subject -in cert_$user.pem" (cert_$user.pem should point to your client cert); I used the latter format but am not sure if the first would work as well. Finally, note that nessus relies on OpenSSL to validate the certificate. So if you're still having problems after you've followed the instructions above, make sure you're using the correct files, that your certs haven't expired, etc. George -- [EMAIL PROTECTED] - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
