Configuration Requirements for SSH

Nessus supports the blowfish-cbc, aesXXX-cbc (aes128, aes192, and aes256), 3des-cbc, and aes-ctr algorithms.

Some commercial variants of SSH do not have support for the blowfish cipher, possibly for export reasons. It is also possible to configure an SSH server to only accept certain types of encryption. Check that your SSH server supports the correct algorithm.

User Privileges

For maximum effectiveness, the SSH user must be able to run any command on the system. On Linux systems, the SSH user must have root privileges. While it is possible to run some checks (such as patch levels) with non-privileged access, full compliance checks that audit system configuration and file permissions require root access. For this reason, Tenable recommends that you use SSH keys instead of credentials when possible.

Configuration Requirements for Kerberos

If you use Kerberos, you must configure sshd with Kerberos support to verify the ticket with the KDC. You must properly configure reverse DNS lookups for this to work. The Kerberos interaction method must be gssapi-with-mic.