TOC & Recently Viewed

Recently Viewed Topics

Enable SSH Local Security Checks

This section is intended to provide a high-level procedure for enabling SSH between the systems involved in the Nessus credential checks. It is not intended to be an in-depth tutorial on SSH. It is assumed the reader has the prerequisite knowledge of Unix system commands.

Generating SSH Public and Private Keys

The first step is to generate a private/public key pair for the Nessus scanner to use. This key pair can be generated from any of your Unix systems, using any user account. However, it is important that the keys be owned by the defined Nessus user.

To generate the key pair, use ssh-keygen and save the key in a safe place. In the following example the keys are generated on a Red Hat ES 3 installation.

# ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/Users/test/.ssh/id_dsa):


Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in


Your public key has been saved in


The key fingerprint is:



Do not transfer the private key to any system other than the one running the Nessus server. When ssh-keygen asks you for a passphrase, enter a strong pass phrase or hit the “Return” key twice (i.e., do not set any passphrase). If a pass phrase is specified, it must be specified in the Policies -> Credentials -> SSH settings options in order for Nessus to use key-based authentication.

Nessus Windows users may wish to copy both keys to the main Nessus application directory on the system running Nessus (C:\Program Files\Tenable\Nessus by default), and then copy the public key to the target systems as needed. This makes it easier to manage the public and private key files.

Creating a User Account and Setting up the SSH Key

On every target system to be scanned using local security checks, create a new user account dedicated to Nessus. This user account must have exactly the same name on all systems. For this document, we will call the user “nessus”, but you can use any name.

Once the account is created for the user, make sure that the account has no valid password set. On Linux systems, new user accounts are locked by default, unless an initial password was explicitly set. If you are using an account where a password had been set, use the “passwd –l” command to lock the account.

You must also create the directory under this new account’s home directory to hold the public key. For this exercise, the directory will be /home/nessus/.ssh. An example for Linux systems is provided below:

# passwd –l nessus

# cd /home/nessus

# mkdir .ssh


For Solaris 10 systems, Sun has enhanced the “passwd(1)” command to distinguish between locked and non-login accounts. This is to ensure that a user account that has been locked may not be used to execute commands (e.g., cron jobs). Non-login accounts are used only to execute commands and do not support an interactive login session. These accounts have the “NP” token in the password field of /etc/shadow. To set a non-login account and create the SSH public key directory in Solaris 10, run the following commands:

# passwd –N nessus

# grep nessus /etc/shadow


# cd /export/home/nessus

# mkdir .ssh


Now that the user account is created, you must transfer the key to the system, place it in the appropriate directory and set the correct permissions.


From the system containing the keys, secure copy the public key to system that will be scanned for host checks as shown below. is an example remote system that will be tested with the host-based checks.

# scp root@


You can also copy the file from the system on which Nessus is installed using the secure ftp command, “sftp”. Note that the file on the target system must be named “authorized_keys”.

Return to the System Housing the Public Key

Set the permissions on both the /home/nessus/.ssh directory, as well as the authorized_keys file.

# chown -R nessus:nessus ~nessus/.ssh/

# chmod 0600 ~nessus/.ssh/authorized_keys

# chmod 0700 ~nessus/.ssh/


Repeat this process on all systems that will be tested for SSH checks (starting at “Creating a User Account and Setting up the SSH Key” above).

Test to make sure that the accounts and networks are configured correctly. Using the simple Unix command “id”, from the Nessus scanner, run the following command:

# ssh -i /home/test/nessus/ssh_key nessus@ id

uid=252(nessus) gid=250(tns) groups=250(tns)


If it successfully returns information about the Nessus user, the key exchange was successful.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.