SSH Credentials
Use SSH credentials for host-based checks on Unix systems and supported network devices. Tenable Security Center uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks. Tenable Security Center uses Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.
Tenable Security Center encrypts the data
Note: Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.
Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recommends adding no more than 10 SSH credentials per scan.
Configure the following options for SSH credentials, including options specific for your authentication method:
General Option | Description |
---|---|
Name |
(Required) A name for the credential. |
Description | A description for the credential. |
Tag |
A tag for the credential. For more information, see Tags. |
The following table describes the additional options to configure when using Arcon as the authentication method for SSH credentials.
Option | Description |
---|---|
Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
API User | (Required) The API user provided by Arcon. |
API Key | (Required) The API key provided by Arcon. |
Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
Username | (Required) The username to log in to the hosts you want to scan. |
Arcon Target Type | (Optional) The name of the target type. Depending on the Arcon PAM version you are using and the system type the SSH credential has been created with, this is set to linux by default. Refer to the Arcon PAM Specifications document (provided by Arcon) for target type/system type mapping for the correct target type value. |
Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
Privilege Escalation | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
The following table describes the additional options to configure when using BeyondTrust as the authentication method for SSH credentials.
Option | Description |
---|---|
Username | The username to log in to the hosts you want to scan. |
BeyondTrust Host | The BeyondTrust IP address or DNS address. |
BeyondTrust Port | The port BeyondTrust is listening on. |
BeyondTrust API User | The API user provided by BeyondTrust. |
BeyondTrust API Key | The API key provided by BeyondTrust. |
Checkout Duration |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Security Center scans. If BeyondTrust changes a password during a scan, the scan fails. |
Use SSL |
If enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option. |
Verify SSL Certificate |
If enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option. |
Use Private Key | If enabled, Tenable Security Center uses key-based authentication for SSH connections instead of password authentication. |
Use Privilege Escalations |
If enabled, Tenable Security Center uses BeyondTrust for privilege escalation. |
The following table describes the additional options to configure when using Centrify as the authentication method for SSH credentials.
Option | Description |
---|---|
Centrify Host |
(Required) The Centrify IP address or DNS address. Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
Centrify Port | (Required) The port on which Centrify listens. By default, |
API User | (Required) The API user provided by Centrify. |
API Key | (Required) The API key provided by Centrify. |
Tenant | (Required) The Centrify tenant associated with the API. By default, |
Authentication URL | (Required) The URL |
Password Query URL | (Required) The URL |
Password Engine URL |
(Required) The URL |
Username | (Required) The username to log in to the hosts you want to scan. |
Checkout Duration |
(Required) The length of time, in minutes, that you want to keep credentials checked out in Centrify. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans so that password changes do not disrupt your |
Use SSL | When enabled, |
Verify SSL Certificate | When enabled, |
The following table describes the additional options to configure when using Certificate as the authentication method for SSH credentials.
Option | Description |
---|---|
Username | (Required) The username for a user on the host system. |
User Certificate |
(Required) The RSA or DSA OpenSSH certificate file for the user. |
Private Key |
(Required) The RSA or DSA OpenSSH private key file for the user. |
Passphrase | The passphrase for the private key, if required. |
Privilege Escalation |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
The following table describes the additional options to configure when using CyberArk Vault as the authentication method for SSH credentials.
Option | Description | Required |
---|---|---|
CyberArk Elevate Privileges With |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk Elevate Privileges With selection determines the specific options you must configure. For more information, see Privilege Escalation. |
no |
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. |
yes |
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user. |
yes |
KDC Port |
|
|
KDC Transport |
|
|
Realm |
(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable Security Center uses 443. |
yes |
Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Address, Identifier, Parameters, or Username. Note: For more information about the Parameters option, refer to the Parameters Options table. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
Username |
(If Get credential by is set to Username) The username of the CyberArk user to request a password from. |
no |
Safe |
The CyberArk safe the credential should be retrieved from. |
no |
Address | The option should only be used if the Address value is unique to a single CyberArk account credential. | no |
Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
The following table describes the additional options to configure when using CyberArk Vault (Legacy) as the authentication method for SSH credentials.
Option | Description |
---|---|
Username |
(Required) The username for the target system. |
CyberArk elevate privileges with |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk elevate privileges with selection determines the specific options you must configure. For more information, see Privilege Escalation. |
Central Credential Provider URL Host |
(Required) The CyberArk Central Credential Provider IP/DNS address. |
Central Credential Provider URL Port |
(Required) The port the CyberArk Central Credential Provider is listening on. |
CyberArk Address | The domain for the CyberArk account. You must configure SSL through IIS in CyberArk Central Credential Provider before configuring this option. |
Vault Username |
The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
Vault Password |
The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
Safe |
(Required) The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
CyberArk Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
CyberArk Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
CyberArk Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
AppID |
(Required) The AppID with CyberArk Central Credential Provider permissions to retrieve the target password. |
Folder |
(Required) The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
PolicyID |
The PolicyID assigned to the credentials you want to retrieve. |
Vault Use SSL |
When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. |
Vault Verify SSL |
When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. |
CyberArk Escalation Account Details Name |
The unique name of the credential you want to retrieve from CyberArk. |
CyberArk AIM Service URL |
The URL for the CyberArk AIM web service. By default, Tenable Security Center uses /AIMWebservice/v1.1/AIM.asmx. |
The following table describes the additional options to configure when using Delinea Secret Server as the authentication method for SSH credentials.
Option | Description | Required |
---|---|---|
Delinea Secret |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
Delinea Host |
The Delinea Secret Server host to pull the secrets from. |
yes |
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
Use Private Key |
If enabled, uses key-based authentication for SSH connections instead of password authentication. |
no |
Checkout Duration |
The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time. |
yes |
Use SSL |
Enable if the Delinea Secret Server is configured to support SSL. |
no |
Verify SSL Certificate |
If enabled, verifies the SSL Certificate on the Delinea server. |
no |
Privilege Escalation |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure. |
no |
Custom password prompt | Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts. |
no |
The following table describes the additional options to configure when using Hashicorp Vault as the authentication method for SSH credentials.
Option | Default Value | Required |
---|---|---|
Hashicorp Host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
yes |
Hashicorp Port |
The port on which Hashicorp Vault listens. |
yes |
Authentication Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. |
yes |
Role ID |
The GUID provided by Hashicorp Vault when you configured your App Role. |
yes |
Role Secret ID |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
Authentication URL |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
Namespace | The name of a specified team in a multi-team environment. | no |
Hashicorp Vault Type |
The type of Hashicorp Vault secrets engine:
|
yes |
KV1 Engine URL KV2 Engine URL AD Engine URL |
The URL Tenable Security Center uses to access the Hashicorp Vault secrets engine. Example: /v1/path_to_secret. No trailing / |
yes |
Username Source |
(Appears when Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. |
yes |
Username Key |
(Appears when Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. |
yes |
Password Key | (Appears when Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. | yes |
Secret Name | The key secret you want to retrieve values for. | yes |
Use SSL | When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Verify SSL | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
The following table describes the additional options to configure when using Kerberos as the authentication method for SSH credentials.
Option | Description |
---|---|
Username | (Required) The username for a user on the target system. |
Password | (Required) The password associated with the username you provided. |
KDC Host | (Required) The host supplying the session tickets. |
KDC Port | (Required) The port you want to use for the KDC connection. By default, Tenable Security Center uses port 88. |
KDC Transport |
(Required) The method you want to use to connect to the KDC server. Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750. |
Realm | (Required) The authentication domain, typically the domain name of the target (e.g., example.com). |
Privilege Escalation |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
The following table describes the additional options to configure when using Lieberman as the authentication method for SSH credentials.
Option | Description |
---|---|
Username | The username for a user on the database. |
Lieberman Host |
The Lieberman IP address or DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
Lieberman Port | The port Lieberman is listening on. |
Lieberman User |
The username for the Lieberman explicit user you want Tenable Security Center to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API. |
Lieberman Password |
The password for the Lieberman explicit user. |
Use SSL |
When enabled, Tenable Security Centeruses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option. |
Verify SSL Certificate |
When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option. |
System Name | The name for the database credentials in Lieberman. |
The most effective credentialed scans are those with root privileges (enable privileges, for Cisco IOS). Since many sites do not permit a remote login as root for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: su, sudo, su+sudo, DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.
The following table describes the additional options to configure when using Password as the authentication method for SSH credentials.
Option | Description |
---|---|
Username | (Required) The username for a user on the target system. |
Password | (Required) The password associated with the username you provided. |
Privilege Escalation |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
The following table describes the additional options to configure when using Public Key as the authentication method for SSH credentials.
Option | Description |
---|---|
Username |
(Required) The username for a user on the host system. |
Private Key |
(Required) The RSA or DSA OpenSSH key file for the user. |
Passphrase |
The passphrase for the private key, if required. |
Privilege Escalation |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
The following table describes the additional options to configure when using Thycotic Secret Server as the authentication method for SSH credentials.
Option | Description |
---|---|
Username |
(Required) The username for a user on the target system. |
Thycotic elevate privileges with |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection for this setting determines the specific options you must configure. For more information, see Privilege Escalation. |
Thycotic Secret Name | The Secret Name value on the Thycotic server. |
Thycotic Secret Server URL |
(Required) The value you want Tenable Security Center to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL. For example, if you type https://pw.mydomain.com/SecretServer, Tenable Security Center determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory. |
Thycotic Login Name | (Required) The username for a user on the Thycotic server. |
Thycotic Password | (Required) The password associated with the Thycotic Login Name you provided. |
Thycotic Organization | In cloud instances of Thycotic, the value that identifies the organization you want Tenable Security Center to target. |
Thycotic Domain | The domain, if set for the Thycotic server. |
Verify SSL Certificate |
If enabled, Tenable Security Center verifies the SSL Certificate on the Thycotic server. For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation. |
Use Private Key | If enabled, Tenable Security Center uses key-based authentication for SSH connections instead of password authentication. |
The following table describes the additional options to configure when using WALLIX Bastion as the authentication method for SSH credentials.
Option | Description | Required |
---|---|---|
WALLIX Host |
The IP address for the WALLIX Bastion host. |
yes |
WALLIX Port |
The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443. |
yes |
Authentication Type |
Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements). |
no |
WALLIX User |
Your WALLIX Bastion user interface login username. |
yes |
WALLIX Password | Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. | yes |
WALLIX API Key | The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. | yes |
Get Credential by Device Account Name |
The account name associated with a Device you want to log in to the target systems with. Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system. |
Required only if you have a target and/or device with multiple accounts. |
HTTPS |
This is enabled by default. Caution: The integration fails if you disable HTTPS. |
yes |
Verify SSL Certificate |
This is disabled by default and is not supported in WALLIX Bastion PAM integrations. |
no |
Privilege Escalation |
This enables WALLIX Bastion Privileged Access Management (PAM). Use the drop-down menu to select the privilege elevation method. To bypass this function, leave this field set to Nothing. Caution: In your WALLIX Bastion account, the WALLIX Bastion super admin must have enabled "credential recovery" on your account for PAM to be enabled. Otherwise, your scan may not return any results. For more information, see your WALLIX Bastion documentation. Note: Multiple options for privilege escalation are supported, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through WALLIX Bastion PAM. The Escalation Account Name field is then required to complete your privilege escalation. Note: For more information about supported privilege escalation types and their accompanying fields, see Privilege Escalation. |
Required if you wish to escalate privileges. |
Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |