TOC & Recently Viewed

Recently Viewed Topics

SSH Credentials

SSH credentials are used to obtain local information from remote Linux, Unix, and Cisco IOS systems for patch auditing or compliance checks. SecurityCenter encrypts stored credentials using the AES-256-CBC algorithm.

Configure the following options for SSH credentials, including options specific for your authentication method: Certificate Options, CyberArk Vault Options, Kerberos Options, Password Options, Public Key Options, Thycotic Secret Server Options, BeyondTrust Options, and Lieberman Options.

General Options Description

Name

(Required) A name for the credential.
Description A description for the credential.

Tag

A tag for the credential.

Certificate Options

The following table describes the additional options to configure when using Certificate as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the host system.
User Certificate (Required) The RSA or DSA OpenSSH certificate file for the user.
Private Key (Required) The RSA or DSA OpenSSH private key file for the user.
Passphrase The passphrase for the private key, if required.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

CyberArk Vault Options

The following table describes the additional options to configure when using CyberArk Vault as the authentication method for SSH credentials.

Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.

Option Description

Username

(Required) The username for the target system.

CyberArk elevate privileges with

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk elevate privileges with selection determines the specific options you must configure. For more information, see Privilege Escalation.

Central Credential Provider URL Host

(Required) The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider URL Port

(Required) The port the CyberArk Central Credential Provider is listening on.

CyberArk Address The domain for the CyberArk account. You must configure SSL through IIS in CyberArk Central Credential Provider before configuring this option.

Vault Username

The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Vault Password

The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required.

AppID

(Required) The AppID with CyberArk Central Credential Provider permissions to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

PolicyID

The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL

When enabled, SecurityCenter uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

Vault Verify SSL

When enabled, SecurityCenter validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

For more information about using self-signed certificates, see Upload a Custom CA Certificate.

CyberArk Account Details Name

The unique name of the credential you want to retrieve from CyberArk.

CyberArk AIM Service URL

The URL for the CyberArk AIM web service. By default, SecurityCenter uses /AIMWebservice/v1.1/AIM.asmx.

Kerberos Options

The following table describes the additional options to configure when using Kerberos as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the target system.
Password (Required) The password associated with the username you provided.
KDC Host (Required) The host supplying the session tickets.
KDC Port (Required) The port you want to use for the KDC connection. By default, SecurityCenter uses port 88.
KDC Transport

(Required) The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750.

Realm (Required) The authentication domain, typically the domain name of the target (e.g., example.com).
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Password Options

The most effective credentialed scans are those with root privileges (enable privileges, for Cisco IOS). Since many sites do not permit a remote login as root for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: su, sudo, su+sudo, DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.

The following table describes the additional options to configure when using Password as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the target system.
Password (Required) The password associated with the username you provided.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Public Key Options

The following table describes the additional options to configure when using Public Key as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the host system.
Private Key (Required) The RSA or DSA OpenSSH key file for the user.
Passphrase The passphrase for the private key, if required.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Thycotic Secret Server Options

The following table describes the additional options to configure when using Thycotic Secret Server as the authentication method for SSH credentials.

Option Description

Username

(Required) The username for a user on the target system.
Domain The domain of the username, if set on the Thycotic server.
Thycotic Secret Name (Required) The Secret Name value on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want SecurityCenter to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, SecurityCenter determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for a user on the Thycotic server.
Thycotic Password (Required) The password associated with the Thycotic Login Name you provided.
Thycotic Organization (Optional) In cloud instances of Thycotic, the value that identifies the organization you want SecurityCenter to target.
Thycotic Domain (Optional) The domain, if set for the Thycotic server.
Verify SSL Certificate

If enabled, SecurityCenter verifies the SSL Certificate on the Thycotic server.

For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

Use Private Key If enabled, SecurityCenter uses key-based authentication for SSH connections instead of password authentication.

BeyondTrust Options

The following table describes the additional options to configure when using BeyondTrust as the authentication method for SSH credentials.

Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.

Option Description
Username The username to log in to the hosts you want to scan.
BeyondTrust host The BeyondTrust IP address or DNS address.
BeyondTrust port The port BeyondTrust is listening on.
BeyondTrust API key The API key provided by BeyondTrust.
Checkout duration

The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your SecurityCenter scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your SecurityCenter scans. If BeyondTrust changes a password during a scan, the scan fails.

Use SSL If enabled, SecurityCenter uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.
Verify SSL Certificate If enabled, SecurityCenter validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.
Use Private Key If enabled, SecurityCenter uses key-based authentication for SSH connections instead of password authentication.
Use Privilege Escalations

If enabled, SecurityCenter uses BeyondTrust for privilege escalation.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the authentication method for SSH credentials.

Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.

Option Description
Username The username for a user on the database.
Lieberman Host The Lieberman IP address or DNS address.
Lieberman Port The port Lieberman is listening on.
Lieberman User

The username for the Lieberman explicit user you want SecurityCenter to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API.

Lieberman Password

The password for the Lieberman explicit user.

Use SSL

When enabled, SecurityCenter uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option.

Verify SSL Certificate

When enabled, SecurityCenter validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option.

For more information about using self-signed certificates, see Upload a Custom CA Certificate.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.