Problem: (1) At least one plugin is unable to authenticate and logon to our Linux servers using SSH keys OR (2) SSH authentication is working but system identification is not. A similar problem was first reported here by Thomas Nguyen Van on Monday, January 15, 2007 (see below).
Symptoms: Incorrect system identification. This week, Nessus began identifying fully-patched RHEL4 servers as Fedora Core servers with missing Fedora patches. Doing 'tail -f /var/log/secure' on the target server during the scan, we saw the following: Did not receive identification string from ::ffff:<scanner_ip> Accepted publickey for secops from ::ffff:<scanner_ip> port 53100 ssh2 Accepted publickey for secops from ::ffff:<scanner_ip> port 53100 ssh2 Plugin 11936 reports: Nessus was not able to reliably identify the remote operating system. It might be: Linux Kernel 2.4... Plugin 12634 reports: It was possible to log into the remote host using the supplied asymetric keys...The remote Red Hat system is : Red Hat Enterprise Linux ES release 4 (Nahant Update 4) Local security checks are being performed, which also indicates that SSH key authentication is working in some cases; however, as mentioned above, local security checks report missing Fedora Core packages. Environment: * Direct feed subscriber * Plugins are updated every day * Using NessusClient 1.0.1 (batch mode) with Nessus 3.0.4 * Using Static configuration files that never change * SSH credentials are provided using settings: SSH settings[entry]:SSH user name : = <account_name> SSH settings[file]:SSH public key to use : = <account_pub_key> SSH settings[file]:SSH private key to use : = <accont_priv_key> * SSH keys have correct ownership and permissions * SSH keys do not require passphrases * SSH keys are in /home/<account_name>/.ssh/authorized_keys on all hosts * SSH key authentication has been working flawlessly in our environment for nearly 2 years * SSH key rotation last occurred one year ago * KB is not re-used between scans Troubleshooting: All scans were performed from the same Nessus Client using the same configuration and the same target server: * Installed a fresh copy of Nessus on a different server. Did not register. Type of plugin feed: Release. Plugin feed version: 200701050232 (newest plugin is January 4, 2007). Performed the same scan. Problem did not occur. * Registered Nessus. Performed nessus-update-plugins. Type of plugin feed: Registered (7 days delay). Plugin feed version: 200701191815. Performed the same scan. Problem did not occur. * Used NORMAL scanning server. Type of plugin feed: Direct. Plugin feed version: 200701190315. Performed the same scan. Problem occurred. * Used NORMAL scanning server. Type of plugin feed: Direct. Plugin feed version: 200701191815. Performed the same scan. Problem occurred. - John Scherff ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Nguyen Van Sent: Monday, January 15, 2007 4:12 AM To: 'Renaud Deraison'; Nessus List Subject: RE: SSH Credentials problem Good morning Arnaud, Happy new year and wish you the best for 2007 ! Actually, I scanned with the latest Nessus version 3.0.4 but results were still the same and plugins were up2date. To sum up, I scanned solaris servers in different configurations: 1 - SSH login + password: OK 2 - SSH login + private/public keys + passphrase: Failed Actually, I don't know how to increase the debugging level so that I can see the credentials exchange between Nessus scanner and its targets. Do you have a clue, please? Thomas Nguyen Van (CEH) | OneIT Technical Security Consultant | OneIT Operations | BT | E: [EMAIL PROTECTED] |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899| www.btireland.com -----Original Message----- From: Renaud Deraison [mailto:[EMAIL PROTECTED] Sent: 20 December 2006 13:05 To: Thomas Nguyen Van; Nessus List Subject: Re: SSH Credentials problem On Dec 19, 2006, at 5:26 PM, Thomas Nguyen Van wrote: > > Good afternoon, > > In addition to my previous mail of today, I would like to add those > information: Once again : Are your plugins up-to-date ?? -- Renaud BT Communications Ireland Limited is a wholly owned subsidiary of BT Group plc Registered in Ireland, Registration No. 141524 Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland This electronic message contains information (and may contain files) from BT Communications Ireland Limited which may be privileged or confidential. The information is intended to be for the sole use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information and or files is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately. http://www.btireland.ie
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
