Hi!
meanwhile we have developed a solution, files attached.
We had to slightly change my initial idea.
With these scripts it is necessary that any script that uses
script_mandatory_keys("login/SSH/success");
must take care, that ssh_authorization.nasl is executed before.
This can be done with
script_dependencies("ssh_authorization.nasl");
The reason for this to change is, that ssh_authorization changed
from ACT_SETTINGS to ACT_GATHER_INFO and therefore is note executed
automatically anymore.
The dependency can be established via another dependency such as
gather_package_list.nasl.
We counted 47 scripts demandinging "login/SSH/success" but lacking a dependency.
This is doable in manual way. In several cases the actual detect scripts
need the dependency. So, it might be even less scripts that need the dependency.
To my understanding these additional dependencies can be comitted right away
even
with the current(old) ssh_auhtorization because these do not hurt.
Can you review the proposed new way and perhaps do test scans with it?
netstat_portscan.nasl remains a problematic case. Ideas?
Perhaps remove the mandatory_key directive?
Best
Jan
On Mittwoch, 19. September 2012, Jan-Oliver Wagner wrote:
> On Thursday 13 September 2012 00:02:45 Thomas Reinke wrote:
> > We're running into a hiccup with openvassd (rls 5) that I wouldn't
> > mind getting some feedback on.
> >
> > After upgrading both scanner and scripts, and removing find_service.nes
> > from the plugins directory so that there was no possibility of confusion
> > with find_service.nasl and the built in find_service plugin, a look at
> > the openvassd.messages log is showing that find_service.nasl is being
> > launched BEFORE nmap.nasl.
> >
> > My understanding is that nmap.nasl, with a category of ACT_SCANNER,
> > should ALWAYS execute before something like find_service.nasl, with
> > a category of ACT_GATHER_INFO.
> >
> > Is there something I'm missing? Shouldn't all ACT_SCANNER class
> > scripts be COMPLETELY finished, regardless of user config, before
> > other categories start firing up? This is preventing find_service.nasl
> > from working correctly.
>
> The source of the problem is ssh_authorization.
> This ACT_SETTINGS script should not do anything else than care about
> settings. It should _not_ do tests on a certain port.
> My proposal is to have a "ssh_check.nasl" in ACT_GATHER_INFO
> and replace a couple of dependencies to ssh_authorization to ssh_check
> (or even remove the dependency as we actually only need the
> login/SSH/success KB entry - no?).
> ssh_check.nasl would do the port check and set the KB entry accordingly.
>
> Would this be a adequate solution?
>
>
> One problem would probably arise from this: netstat_portscan.nasl.
> This NVT is ACT_SCANNER but logs into target using SSH.
> Which is heavily in conflice with the ACT_ sequence.
> It could not use ' script_mandatory_keys("login/SSH/success"); '
> anymore.
> Would that be a problem?
>
>
> Best
>
> Jan
>
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
# OpenVAS
# $Id: ssh_authorization.nasl 14018 2012-09-06 19:39:28Z reinke $
# Description: This script allows to set SSH credentials for target hosts.
#
# Authors:
# Jan-Oliver Wagner <jan-oliver.wag...@greenbone.net>
# Felix Wolfsteller <felix.wolfstel...@greenbone.net>
# Chandrashekhar B <bchan...@secpod.com>
# Michael Meyer <michael.me...@greenbone.net>
#
# Copyright:
# Copyright (C) 2007,2008,2009,2010,2011,2012 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# or, at your option, any later version as published by the
# Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_id(90022);
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_version("$Revision: 14018 $");
script_tag(name:"last_modification", value:"$Date: 2012-09-06 21:39:28 +0200
(Thu, 06 Sep 2012) $");
script_tag(name:"creation_date", value:"2007-11-01 23:55:52 +0100 (Thu, 01 Nov
2007)");
script_tag(name:"risk_factor", value:"None");
script_tag(name:"cvss_base", value:"0.0");
script_name("SSH Authorization Check");
desc = "This script tries to login with provided credentials.
If the login was successful, it marks this port as available
for any authenticated tests.
";
script_description(desc);
script_summary("Try to login with provided credentials");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright 2007-2012 Greenbone Networks GmbH");
script_family("General");
script_dependencies("find_service.nasl","ssh_authorization_init.nasl");
exit(0);
}
include("ssh_func.inc");
# Check if port for us is known
port = get_preference("auth_port_ssh");
if(!port) {
port = get_kb_item("Services/ssh");
}
if(!port)
{
log_message(data:'No port for an ssh connect was found open.\nHence
authenticated checks are not enabled.');
exit(0); # If port is not open
}
# Check if an account was defined either by the preferences ("old") or by the
# server ("new").
if(kb_ssh_login() && (kb_ssh_password() || kb_ssh_publickey()))
{
sock = ssh_login_or_reuse_connection();
if(!sock)
{
log_message(data: 'It was not possible to login using the provided SSH
credentials.\nHence authenticated checks are not enabled.', port:port);
ssh_close_connection();
exit(0);
}
set_kb_item(name:"login/SSH/success", value:TRUE);
log_message(data:'It was possible to login using the provided SSH
credentials.\nHence authenticated checks are enabled.', port:port);
ssh_close_connection();
}
else
{
log_message(data:'No sufficient SSH credentials were supplied.\nHence
authenticated checks are not enabled.', port:port);
}
exit(0);
# OpenVAS
# $Id$
# Description: This script allows to set SSH credentials for target hosts.
#
# Authors:
# Jan-Oliver Wagner <jan-oliver.wag...@greenbone.net>
# Felix Wolfsteller <felix.wolfstel...@greenbone.net>
# Chandrashekhar B <bchan...@secpod.com>
# Michael Meyer <michael.me...@greenbone.net>
#
# Copyright:
# Copyright (C) 2007,2008,2009,2010,2011,2012 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# or, at your option, any later version as published by the
# Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_id(103591);
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_version("$Revision$");
script_tag(name:"last_modification", value:"$Date$");
script_tag(name:"creation_date", value:"2012-10-24 10:55:52 +0100 (Wed, 24 Oct 2012)");
script_tag(name:"risk_factor", value:"None");
script_tag(name:"cvss_base", value:"0.0");
script_name("SSH Authorization");
desc = "This script allows users to enter the information
required to authorize and login via ssh protocol.
These data will be used by other tests to executed
authenticated checks.";
script_description(desc);
script_summary("Sets SSH key-based authorization, optionally on a per-target basis.");
script_category(ACT_SETTINGS);
script_copyright("Copyright 2007-2012 Greenbone Networks GmbH");
script_family("Credentials");
# Preference type to trigger client-side ssh-login selection per target
script_add_preference(name:"Keys:", type:"sshlogin", value:"-");
# Preference to decide whether to use old-style "single" login or the "new" per-target-wise
# (deprecated: once openvas-server < 2.0.1 is not supported anymore this can be removed)
script_add_preference(name:"Use per-target login information", type:"checkbox", value:"no");
# Following values will be used for the default case of "single" login definition for all targets
# (deprecated: once openvas-server < 2.0.1 is not supported anymore this can be removed)
script_add_preference(name:"SSH login name:", type:"entry", value:"sshovas");
script_add_preference(name:"SSH password (unsafe!):", type:"password", value:"");
script_add_preference(name:"SSH public key:", type:"file", value:"");
script_add_preference(name:"SSH private key:", type:"file", value:"");
script_add_preference(name:"SSH key passphrase:", type:"password", value:"");
exit(0);
}
use_new = script_get_preference("Use per-target login information");
if(use_new == "no")
{
# Old-style "single" login for all targets
ssh_login_name = script_get_preference("SSH login name:");
ssh_password = script_get_preference("SSH password (unsafe!):");
ssh_public_key = script_get_preference_file_content("SSH public key:");
ssh_private_key = script_get_preference_file_content("SSH private key:");
ssh_key_passphrase = script_get_preference("SSH key passphrase:");
if (ssh_login_name) set_kb_item(name: "Secret/SSH/login", value: ssh_login_name);
if (ssh_password) set_kb_item(name:"Secret/SSH/password", value:ssh_password);
if (ssh_public_key) set_kb_item(name: "Secret/SSH/publickey", value: ssh_public_key);
if (ssh_private_key) set_kb_item(name: "Secret/SSH/privatekey", value: ssh_private_key);
if (ssh_key_passphrase) set_kb_item(name: "Secret/SSH/passphrase", value: ssh_key_passphrase);
}
exit(0);
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-devel
