-
Logon to the server that will be running Nessus and do 'ssh-keygen -t dsa'. Just hit enter through all the prompts. (Entering a pass phrase is more secure, but then you'd have to put the pass phrase in the nessus config file in clear text, so it kinda cancels out.) Make sure you do this from the account with which you want to access the remote system. For brevity, let's just say this account is jcosta.
-
The above step will create a hidden .ssh directory in your home directory (/home/jcosta/.ssh). There will be two files in there: id_dsa (your private key) and id_dsa.pub (your public key). Copy these to somewhere under /opt/nessus/etc (or /usr/local/nessus/etc, if you're using 2.x.x). Make sure you set the permissions so that only the account you run the nessus client from can read them. (Technically, you can just leave these files in ~/.ssh, but copying them elsewhere protects you in case you have a brain fart and overwrite the keys by running ssh-keygen again.)
-
On each target system (the ones to be scanned), create a .ssh directory within the home directory of the same user, jcosta (/home/jcosta/.ssh). Create (touch) a file named authorized_keys and then chmod 600 authorized_keys. Copy (scp) the file /home/jcosta/.ssh/id_dsa.pub from the scanning server and do cat id_dsa.pub >> authorized_keys. (Or you could just do ssh nessus_server cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys.)
-
Next, on the scanning server, in your ~/.nessusrc file, find the below entries and enter the path to the public and private SSH keys you copied from your ~/.ssh directory. E.g., if you copied id_dsa and id_dsa.pub from /home/jcosta/.ssh to /opt/nessus/etc/keys, then these entries would look like this:
SSH settings[file]:SSH public key to use : = /opt/nessus/etc/keys/id_dsa.pub
SSH settings[file]:SSH private key to use : = /opt/nessus/etc/keys/id_dsa -
Run your scan. (Note: I don't use the GUI. I use the command-line client and point to a config file with the -c option. I use George Theall's excellent update-nessusrc script to keep my config files up-to-date.)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costa, Jeff
Sent: Thursday, December 15, 2005 9:50 AM
To: [email protected]
Subject: Enabling SSH loginThe Nessus 3.0 Advanced User Guide states: "Nessus has the ability to log into both UNIX and Windows machines using SSH. This means that Nessus has the ability to use the local system to query itself for version information."How does one enable this functionality?Is it an attribute of a specific plugin that needs to be added? Is it something I set in the NessusWX client?
"This email (including any attachments) is confidential. If you are not the intended recipient you must not copy, use, disclose, distribute or rely on the information contained in it. If you have received this email in error, please notify the sender immediately by reply email and delete the email from your system. Confidentiality and legal privilege attached to this communication are not waived or lost by reason of mistaken delivery to you. Lend Lease does not guarantee that this email or the attachment(s) are unaffected by computer virus, corruption or other defects. Lend Lease may monitor incoming and outgoing emails for compliance with its Email Policy. Please note that our servers may not be located in your country."
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
