Enable SSH Local Security Checks
This section provides a high-level procedure for enabling SSH between the systems involved in the Tenable Nessus credential checks. It is not an in-depth tutorial on SSH, and assumes the reader has the prerequisite knowledge of Linux system commands.
Generating SSH Public and Private Keys
The first step is to generate a private/public key pair for the Tenable Nessus scanner to use. You can generate this key pair from any of your Linux systems, using any user account. However, it is important that the defined Tenable Nessus user owns the keys.
To generate the key pair, use ssh-keygen and save the key in a safe place (see the following Red Hat ES 3 installation example).
# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/test/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
Your public key has been saved in
The key fingerprint is:
Do not transfer the private key to any system other than the one running the Tenable Nessus server. When ssh-keygen asks you for a passphrase, enter a strong passphrase or press the Return key twice (that is, do not set any passphrase). If you specify a passphrase, you must specify it in Policies > Credentials > SSH settings for Tenable Nessus to use key-based authentication.
Tenable Nessus Windows users may wish to copy both keys to the main Tenable Nessus application directory on the system running Tenable Nessus (
C:\Program Files\Tenable\Nessus by default), and then copy the public key to the target systems as needed. This makes it easier to manage the public and private key files.
Creating a User Account and Setting up the SSH Key
On every target system that you want to scan using local security checks, create a new user account dedicated to Tenable Nessus. This user account must have exactly the same name on all systems. For this document, we call the user nessus, but you can use any name.
Once you create the user account, make sure that the account has no valid password set. On Linux systems, new user accounts are locked by default, unless you explicitly set an initial password. If you are using an account where someone had set a password, use the passwd –l command to lock the account.
You must also create the directory under this new account’s home directory to hold the public key. For this exercise, the directory is /home/nessus/.ssh. See the following Linux systems example:
# passwd –l nessus
# cd /home/nessus
# mkdir .ssh
For Solaris 10 systems, Sun has enhanced the passwd(1) command to distinguish between locked and non-login accounts. This is to ensure that you cannot use a locked user account to execute commands (for example, cron jobs). You only use non-login accounts to execute commands, and they do not support an interactive login session. These accounts have the “NP” token in the password field of /etc/shadow. To set a non-login account and create the SSH public key directory in Solaris 10, run the following commands:
# passwd –N nessus
# grep nessus /etc/shadow
# cd /export/home/nessus
# mkdir .ssh
Now that you have created the user account, you must transfer the key to the system, place it in the appropriate directory, and set the correct permissions.
From the system containing the keys, secure copy the public key to system that you want to scan for host checks as shown in the following example.
# scp ssh_key.pub [email protected]:/home/nessus/.ssh/authorized_keys
You can also copy the file from the system on which you installed Tenable Nessus using the secure ftp command,
sftp. You must name the file on the target system authorized_keys.
Return to the System Housing the Public Key
Set the permissions on both the /home/nessus/.ssh directory and the authorized_keys file.
# chown -R nessus:nessus ~nessus/.ssh/
# chmod 0600 ~nessus/.ssh/authorized_keys
# chmod 0700 ~nessus/.ssh/
Repeat this process on all systems that you want to test for SSH checks (starting at “Creating a User Account and Setting up the SSH Key” above).
Test to make sure that the accounts and networks are configured correctly. Using the simple Linux command id, from the Tenable Nessus scanner, run the following command:
# ssh -i /home/test/nessus/ssh_key [email protected] id
uid=252(nessus) gid=250(tns) groups=250(tns)
If it successfully returns information about the Tenable Nessus user, the key exchange was successful.