Greetings. I'm trying to set up OpenVAS to perform SSH login dependent checks during remote host scans. To test how it works I've created a short scan config that include
SSH Authorization Check (1.3.6.1.4.1.25623.1.0.90022) SSH Login Failed For Authenticated Checks (1.3.6.1.4.1.25623.1.0.10593 and a couple of other SSH related vulnerability checks. It works fine when I scan hosts that have OpenSSH prior to 7.x installed but I get "It was not possible to login using the provided SSH credentials" with OpenSSH 7.x hosts. I'm getting no luck with both FreeBSD 10 (OpenSSH 7.2 in base distribution) and CentOS 6 (OpenSSH 7.2 compiled from sources) hosts. Here is how sshd logs look during OpenVAS login attempt failure on CentOS/OpenSSH 7.2 box: Jun 8 12:42:54 centoshost sshd[22987]: debug1: Forked child 23742. Jun 8 12:42:54 centoshost sshd[23742]: debug1: Set /proc/self/oom_score_adj to 0 Jun 8 12:42:54 centoshost sshd[23742]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Jun 8 12:42:54 centoshost sshd[23742]: debug1: inetd sockets after dupping: 3, 3 Jun 8 12:42:54 centoshost sshd[23742]: Connection from <openvas_host_ip> port <openvas_host_port> on <centos_host_ip> port <centos_host_port> Jun 8 12:42:54 centoshost sshd[23742]: debug1: Client protocol version 2.0; client software version libssh-0.5.5 Jun 8 12:42:54 centoshost sshd[23742]: debug1: no match: libssh-0.5.5 Jun 8 12:42:54 centoshost sshd[23742]: debug1: Enabling compatibility mode for protocol 2.0 Jun 8 12:42:54 centoshost sshd[23742]: debug1: Local version string SSH-2.0-OpenSSH_7.2 Jun 8 12:42:54 centoshost sshd[23742]: debug1: permanently_set_uid: 74/74 [preauth] Jun 8 12:42:54 centoshost sshd[23742]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Jun 8 12:42:54 centoshost sshd[23742]: debug1: SSH2_MSG_KEXINIT sent [preauth] Jun 8 12:42:54 centoshost sshd[23742]: Connection closed by <openvas_host_ip> port <openvas_host_port> [preauth] Jun 8 12:42:54 centoshost sshd[23742]: debug1: do_cleanup [preauth] Jun 8 12:42:54 centoshost sshd[23742]: debug1: do_cleanup Jun 8 12:42:54 centoshost sshd[23742]: debug1: Killing privsep child 23743 Part of sshd logs during successful OpenVAS login on CentOS/OpenSSH 5.3: Jun 8 13:35:48 centoshost sshd[2447]: debug1: Forked child 2493. Jun 8 13:35:48 centoshost sshd[2493]: Set /proc/self/oom_score_adj to 0 Jun 8 13:35:48 centoshost sshd[2493]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Jun 8 13:35:48 centoshost sshd[2493]: debug1: inetd sockets after dupping: 3, 3 Jun 8 13:35:48 centoshost sshd[2493]: Connection from <openvas_host_ip> port <openvas_host_port> Jun 8 13:35:48 centoshost sshd[2493]: debug1: Client protocol version 2.0; client software version libssh-0.5.5 Jun 8 13:35:48 centoshost sshd[2493]: debug1: no match: libssh-0.5.5 Jun 8 13:35:48 centoshost sshd[2493]: debug1: Enabling compatibility mode for protocol 2.0 Jun 8 13:35:48 centoshost sshd[2493]: debug1: Local version string SSH-2.0-OpenSSH_5.3 Jun 8 13:35:48 centoshost sshd[2494]: debug1: permanently_set_uid: 74/74 Jun 8 13:35:48 centoshost sshd[2494]: debug1: list_hostkey_types: ssh-rsa,ssh-dss Jun 8 13:35:48 centoshost sshd[2494]: debug1: SSH2_MSG_KEXINIT sent Jun 8 13:35:48 centoshost sshd[2494]: debug1: SSH2_MSG_KEXINIT received Jun 8 13:35:48 centoshost sshd[2494]: debug1: kex: client->server aes256-ctr hmac-sha1 none Jun 8 13:35:48 centoshost sshd[2494]: debug1: kex: server->client aes256-ctr hmac-sha1 none Jun 8 13:35:48 centoshost sshd[2494]: debug1: expecting SSH2_MSG_KEXDH_INIT Jun 8 13:35:48 centoshost sshd[2494]: debug1: SSH2_MSG_NEWKEYS sent Jun 8 13:35:48 centoshost sshd[2494]: debug1: expecting SSH2_MSG_NEWKEYS Jun 8 13:35:48 centoshost sshd[2494]: debug1: SSH2_MSG_NEWKEYS received Jun 8 13:35:48 centoshost sshd[2494]: debug1: KEX done Jun 8 13:35:48 centoshost sshd[2494]: debug1: userauth-request for user <openvas_ssh_user> service ssh-connection method none Jun 8 13:35:48 centoshost sshd[2494]: debug1: attempt 0 failures 0 Jun 8 13:35:48 centoshost sshd[2493]: debug1: PAM: initializing for "<openvas_ssh_user>" Jun 8 13:35:48 centoshost sshd[2493]: debug1: PAM: setting PAM_RHOST to "<openvas_host_ip>" Jun 8 13:35:48 centoshost sshd[2493]: debug1: PAM: setting PAM_TTY to "ssh" Jun 8 13:35:48 centoshost sshd[2494]: debug1: userauth-request for user <openvas_ssh_user> service ssh-connection method password ... Any ideas what can be done? My openvas-check-setup results: # openvas-check-setup --v8 --server openvas-check-setup 2.3.0 Test completeness and readiness of OpenVAS-8 (add '--v6' or '--v7' or '--9' if you want to check for another OpenVAS version) Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.0.5. OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem. OK: NVT collection in /var/lib/openvas/plugins contains 47548 NVTs. WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner. SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html). OK: The NVT cache in /var/cache/openvas contains 47548 files for 47548 NVTs. OK: redis-server is present in version v=3.2.0. OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock OK: redis-server is running and listening on socket: /tmp/redis.sock. OK: redis-server configuration is OK and redis-server is running. Step 2: Checking OpenVAS Manager ... OK: OpenVAS Manager is present in version 6.0.8. OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem. OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db. OK: Access rights for the OpenVAS Manager database are correct. OK: At least one user exists. OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled. OK: OpenVAS Manager database is at revision 146. OK: OpenVAS Manager expects database at revision 146. OK: Database schema is up to date. OK: OpenVAS Manager database contains information about 47376 NVTs. OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db. OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db. OK: xsltproc found. Step 3: Checking user configuration ... WARNING: Your password policy is empty. SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy. Step 4: Checking Greenbone Security Assistant (GSA) ... OK: Greenbone Security Assistant is present in version 6.0.10. Step 5: Checking OpenVAS CLI ... SKIP: Skipping check for OpenVAS CLI. Step 6: Checking Greenbone Security Desktop (GSD) ... SKIP: Skipping check for Greenbone Security Desktop. Step 7: Checking if OpenVAS services are up and running ... OK: netstat found, extended checks of the OpenVAS services enabled. OK: OpenVAS Scanner is running and listening on all interfaces. OK: OpenVAS Scanner is listening on port 9391, which is the default port. WARNING: OpenVAS Manager is running and listening only on the local interface. This means that you will not be able to access the OpenVAS Manager from the outside using GSD or OpenVAS CLI. SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want a local service only. OK: OpenVAS Manager is listening on port 9390, which is the default port. OK: Greenbone Security Assistant is listening on port 9392, which is the default port. Step 8: Checking nmap installation ... WARNING: Your version of nmap is not fully supported: 7.12 SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs. Step 10: Checking presence of optional tools ... OK: pdflatex found. OK: PDF generation successful. The PDF report format is likely to work. OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work. OK: rpm found, LSC credential package generation for RPM based targets is likely to work. WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work. SUGGEST: Install alien. OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work. OK: SELinux is disabled. It seems like your OpenVAS-8 installation is OK. If you think it is not OK, please report your observation and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem. Package versions: # yum list installed | grep openvas openvas.noarch 1.0-17.el6.art @atomic openvas-cli.x86_64 1.4.3-9.el6.art @atomic openvas-libraries.x86_64 8.0.7-24.el6.art @atomic openvas-manager.x86_64 6.0.8-35.el6.art @atomic openvas-scanner.x86_64 5.0.5-23.el6.art @atomic openvas-smb.x86_64 1.0.1-1.el6.art @atomic # yum list installed | grep libssh libssh.x86_64 0.5.5-5.el6 @epel libssh2.x86_64 1.7.0-5.0.cf.rhel6 installed
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
