You are here: Additional Resources > Manual LCE Key Exchange

Manual LCE Key Exchange

A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys.

For the remote LCE to recognize SecurityCenter, you need to copy the SSH public key of SecurityCenter and append it to the “/opt/lce/.ssh/authorized_keys” file. The “/opt/lce/daemons/” script performs this function. The following steps describe how to complete this process:

Note: The LCE server must have a valid license key installed and the LCE daemon must be running before performing the steps below.

  1. Download the SSH public key for SecurityCenter by logging in as the SecurityCenter administrator user and navigating to the “Keys” section (“System” -> “Keys”).
  2. Click “Download Key”, choose the desired key format (both DSA or RSA work for this process) and then click “Submit”.
  3. Save the key file ( to your local workstation. Do not edit the file or save it to any specific file type.
  4. From the workstation where you downloaded the key file, use a secure copy program, such as “scp” or “WinSCP” to copy the file to the LCE system. You will need to have the credentials of an authorized user on the LCE server to perform this step. For example, if you have a user “bob” configured on the LCE server (hostname “lceserver”) whose home directory is /home/bob, the command on a Unix system would be as follows:

    # scp bob@lceserver:/home/bob

  5. On the LCE server, as the root user, change the ownership of the ssh key file to lce as follows:

    # chown lce /home/bob/

    Then append the SSH public key to the “/opt/lce/.ssh/authorized_keys” file with the following steps:

    # su lce
    # /opt/lce/daemons/ /home/bob/

  1. To test the communication, as the user “tns” on the SecurityCenter system, attempt to run the id command:

    # su tns
    # ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id

    If a connection has not been previously established, you will see a warning similar to the following:

    The authenticity of host ' (' can't be established.
    RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
    Are you sure you want to continue connecting (yes/no)?

    Answer “yes” to this prompt.

    If the key exchange worked correctly, a message similar to the following will be displayed:

    # uid=251(lce) gid=251(lce) groups=251(lce)

  1. The IP address of SecurityCenter can be added to the LCE system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times.
  2. The LCE can now be added to SecurityCenter via the normal administrator "LCE add" process.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.