SSH Integration

To configure Tenable with Delinea using SSH integration:

Required User Role: Standard, Scan Manager, or Administrator

To configure Tenable for Delinea SSH for Tenable Vulnerability Management or Tenable Nessus:

Log in to your Tenable user interface.
In the upper-left corner, click the button.

The left navigation plane appears.
In the left navigation plane, click Scans.

The Scans page appears.
In the upper-right corner of the page, click the Create a Scan button.

The Select a Scan Template page appears.
Select a scan template.

The scan configuration page appears.
In the Name box, type a name for the scan.
In the Targets box, type an IP address, hostname, or range of IP addresses.
(Optional) Add a description, folder location, scanner location, and specify target groups.
Click the Credentials tab.

The Credentials pane appears.
In the Select a Credential menu, select the Host drop-down.
Select SSH.

The Settings pane appears.
In the Auth Type drop-down box, click Tenable for Delinea Secret Server.

The Tenable for Delinea Secret Server options appear.

Configure each option for the SSH authentication.

Option	Description	Required
Delinea Authentication Method	Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected.	yes
Delinea Login Name	The username to authenticate to the Delinea server.	yes
Delinea Password	The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.	yes
Delinea API Key	The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected.	yes
Delinea Secret Name	The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server.	yes
Delinea Host	The Delinea Secret Server host to pull the secrets from.	yes
Delinea Port	The Delinea Secret Server Port for API requests. By default, Tenable uses 443.	yes
Delinea Login Name	The username to authenticate to the Delinea server.	yes
Delinea Password	The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.	yes
Use Private Key	If enabled, uses key-based authentication for SSH connections instead of password authentication.	no
Checkout Duration	The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time.	yes
Use SSL	Enable if the Delinea Secret Server is configured to support SSL.	no
Verify SSL Certificate	If enabled, verifies the SSL Certificate on the Delinea server.	no
Elevate privileges with Privilege Escalation	The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure.	no
Custom password prompt	Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts.	no
Targets to Prioritize Credentials	Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.	no

Do one of the following:
- If you want to save without launching the scan, click Save.
- If you want to save and launch the scan immediately, click Save & Launch.
  
  Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

To configure Tenable for Delinea SSH for Tenable Security Center:

Log in to Tenable Security Center.
Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

The Credentials page appears.
Click Add.

The Credential Templates page appears.
In the Miscellaneous, API Gateway, Database, SNMP, SSH, or Windows, or Web Authentication sections, click the tile for the specific method you want to configure.

The Add Credentials configuration page appears.
In the Name box, type a name for the credentials.
In the Description box, type a description for the credentials.
(Optional) Type or select a Tag. For more information, see Tags in the Tenable Security Center User Guide.

Configure each option for the SSH authentication.

Option	Description	Required
Delinea Authentication Method	Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected.	yes
Delinea Login Name	The username to authenticate to the Delinea server.	yes
Delinea Password	The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.	yes
Delinea API Key	The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected.	yes
Delinea Secret Name	The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server.	yes
Delinea Host	The Delinea Secret Server host to pull the secrets from.	yes
Delinea Port	The Delinea Secret Server Port for API requests. By default, Tenable uses 443.	yes
Delinea Login Name	The username to authenticate to the Delinea server.	yes
Delinea Password	The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.	yes
Use Private Key	If enabled, uses key-based authentication for SSH connections instead of password authentication.	no
Checkout Duration	The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time.	yes
Use SSL	Enable if the Delinea Secret Server is configured to support SSL.	no
Verify SSL Certificate	If enabled, verifies the SSL Certificate on the Delinea server.	no
Elevate privileges with Privilege Escalation	The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure.	no
Custom password prompt	Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts.	no
Targets to Prioritize Credentials	Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.	no

Click Submit.

Tenable Security Center saves your configuration.