SSH Credentials

Use SSH credentials for host-based checks on Unix systems and supported network devices. Tenable Security Center uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks. Tenable Security Center uses Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.

Tenable Security Center encrypts the data using the AES-256-CBC algorithm to protect it from being viewed by sniffer programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recommends adding no more than 10 SSH credentials per scan.

Configure the following options for SSH credentials, including options specific for your authentication method: Arcon Options,BeyondTrust Options, Centrify Options, Certificate Options, CyberArk Vault (Legacy) Options, CyberArk Vault Options, Delinea Secret Server Options,, Hashicorp Vault Options, Kerberos Options, Lieberman Options, Password Options, Public Key Options, Thycotic Secret Server Options, , and WALLIX Bastion Options.

General Option Description

Name

(Required) A name for the credential.
Description A description for the credential.

Tag

A tag for the credential. For more information, see Tags.

Arcon Options

The following table describes the additional options to configure when using Arcon as the authentication method for SSH credentials.

Option Description
Arcon Host

(Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444.
API User (Required) The API user provided by Arcon.
API Key (Required) The API key provided by Arcon.
Authentication URL (Required) The URL Tenable Security Center uses to access Arcon.
Password Engine URL

(Required) The URL Tenable Security Center uses to access the passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.
Checkout Duration

(Required) The length of time, in minutes, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option.
Verify SSL Certificate When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option.
Privilege Escalation The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

BeyondTrust Options

The following table describes the additional options to configure when using BeyondTrust as the authentication method for SSH credentials.

Option Description
Username The username to log in to the hosts you want to scan.
BeyondTrust Host The BeyondTrust IP address or DNS address.
BeyondTrust Port The port BeyondTrust is listening on.
BeyondTrust API User The API user provided by BeyondTrust.
BeyondTrust API Key The API key provided by BeyondTrust.
Checkout Duration

The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Security Center scans. If BeyondTrust changes a password during a scan, the scan fails.

Use SSL

If enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.

Verify SSL Certificate

If enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.

Use Private Key If enabled, Tenable Security Center uses key-based authentication for SSH connections instead of password authentication.
Use Privilege Escalations

If enabled, Tenable Security Center uses BeyondTrust for privilege escalation.

Centrify Options

The following table describes the additional options to configure when using Centrify as the authentication method for SSH credentials.

Option Description
Centrify Host

(Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Centrify Port (Required) The port on which Centrify listens. By default, Tenable Security Center uses port 443.
API User (Required) The API user provided by Centrify.
API Key (Required) The API key provided by Centrify.
Tenant (Required) The Centrify tenant associated with the API. By default, Tenable Security Center uses centrify.
Authentication URL (Required) The URL Tenable Security Center uses to access Centrify. By default, Tenable Security Center uses /Security.
Password Query URL (Required) The URL Tenable Security Center uses to query the passwords in Centrify. By default, Tenable Security Center uses /RedRock.
Password Engine URL

(Required) The URL Tenable Security Center uses to access the passwords in Centrify. By default, Tenable Security Center uses /ServerManage.

Username (Required) The username to log in to the hosts you want to scan.
Checkout Duration

(Required) The length of time, in minutes, that you want to keep credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans so that password changes do not disrupt your Tenable Security Center scans. If Centrify changes a password during a scan, the scan fails. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Centrify before enabling this option.
Verify SSL Certificate When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Centrify before enabling this option.

Certificate Options

The following table describes the additional options to configure when using Certificate as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the host system.
User Certificate (Required) The RSA or DSA OpenSSH certificate file for the user.
Private Key (Required) The RSA or DSA OpenSSH private key file for the user.
Passphrase The passphrase for the private key, if required.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

CyberArk Vault (Legacy) Options

The following table describes the additional options to configure when using CyberArk Vault (Legacy) as the authentication method for SSH credentials.

Option Description

Username

(Required) The username for the target system.

CyberArk elevate privileges with

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk elevate privileges with selection determines the specific options you must configure. For more information, see Privilege Escalation.

Central Credential Provider URL Host

(Required) The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider URL Port

(Required) The port the CyberArk Central Credential Provider is listening on.

CyberArk Address The domain for the CyberArk account. You must configure SSL through IIS in CyberArk Central Credential Provider before configuring this option.

Vault Username

The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Vault Password

The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Safe

(Required) The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required.

AppID

(Required) The AppID with CyberArk Central Credential Provider permissions to retrieve the target password.

Folder

(Required) The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

PolicyID

The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL

When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

Vault Verify SSL

When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

CyberArk Escalation Account Details Name

The unique name of the credential you want to retrieve from CyberArk.

CyberArk AIM Service URL

The URL for the CyberArk AIM web service. By default, Tenable Security Center uses /AIMWebservice/v1.1/AIM.asmx.

CyberArk Vault Options

The following table describes the additional options to configure when using CyberArk Vault as the authentication method for SSH credentials.

Option Description Required
CyberArk Elevate Privileges With

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk Elevate Privileges With selection determines the specific options you must configure. For more information, see Privilege Escalation.

no

CyberArk Host

The IP address or FQDN name for the CyberArk AIM Web Service.

yes

Port

The port on which the CyberArk API communicates. By default, Tenable uses 443.

yes

AppID

The Application ID associated with the CyberArk API connection.

yes

Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.

no

Client Certificate Private Key The file that contains the PEM private key for the client certificate.

yes, if private key is applied

Client Certificate Private Key Passphrase The passphrase for the private key, if required.

yes, if private key is applied

Get credential by

The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.

yes
Username

(If Get credential by is Username) The username of the CyberArk user to request a password from.

no
Safe

The CyberArk safe the credential should be retrieved from.

no
Address The option should only be used if the Address value is unique to a single CyberArk account credential. no
Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no

Use SSL

If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

no

Verify SSL Certificate

If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

no

Delinea Secret Server Options

The following table describes the additional options to configure when using Delinea Secret Server as the authentication method for SSH credentials.

Option Description Required

Delinea Secret Server

The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server.

yes

Delinea Host

The Delinea Secret Server host to pull the secrets from.

yes

Delinea Port

The Delinea Secret Server Port for API requests. By default, Tenable uses 443.

yes

Delinea Login Name

The username to authenticate to the Delinea server.

yes

Delinea Password

The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.

yes

Use Private Key

If enabled, uses key-based authentication for SSH connections instead of password authentication.

no

Checkout Duration

The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time.

yes

Use SSL

Enable if the Delinea Secret Server is configured to support SSL.

no

Verify SSL Certificate

If enabled, verifies the SSL Certificate on the Delinea server.

no

Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure. For more information, see Privilege Escalation.

no

Custom password prompt Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts.

no

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the authentication method for SSH credentials.

Option Default Value Required

Hashicorp Host

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

yes

Hashicorp Port

The port on which Hashicorp Vault listens.

yes

Authentication Type

Specifies the authentication type for connecting to the instance: App Role or Certificates.

If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

yes

Role ID

The GUID provided by Hashicorp Vault when you configured your App Role.

yes
Role Secret ID

The GUID generated by Hashicorp Vault when you configured your App Role.

yes
Authentication URL

The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

/v1/auth/approle/login

yes
Namespace The name of a specified team in a multi-team environment. no
Hashicorp Vault Type

The type of Hashicorp Vault secrets engine: 

  • KV1 — Key/Value Secrets Engine Version 1
  • KV2 — Key/Value Secrets Engine Version 2
  • AD — Active Directory
yes
KV Engine URL

The URL Tenable Security Center uses to access the Hashicorp Vault secrets engine.

Example: /v1/path_to_secret. No trailing /

yes

Username Source

(Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault.

yes

Username key

(Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under.

yes
Password key (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. yes
Secret Name The key secret you want to retrieve values for. yes
Use SSL When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
Verify SSL When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no

Kerberos Options

The following table describes the additional options to configure when using Kerberos as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the target system.
Password (Required) The password associated with the username you provided.
KDC Host (Required) The host supplying the session tickets.
KDC Port (Required) The port you want to use for the KDC connection. By default, Tenable Security Center uses port 88.
KDC Transport

(Required) The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750.

Realm (Required) The authentication domain, typically the domain name of the target (e.g., example.com).
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the authentication method for SSH credentials.

Option Description
Username The username for a user on the database.
Lieberman Host

The Lieberman IP address or DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Lieberman Port The port Lieberman is listening on.
Lieberman User

The username for the Lieberman explicit user you want Tenable Security Center to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API.

Lieberman Password

The password for the Lieberman explicit user.

Use SSL

When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option.

Verify SSL Certificate

When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option.

System Name The name for the database credentials in Lieberman.

Password Options

The most effective credentialed scans are those with root privileges (enable privileges, for Cisco IOS). Since many sites do not permit a remote login as root for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: su, sudo, su+sudo, DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.

The following table describes the additional options to configure when using Password as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the target system.
Password (Required) The password associated with the username you provided.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Public Key Options

The following table describes the additional options to configure when using Public Key as the authentication method for SSH credentials.

Option Description
Username (Required) The username for a user on the host system.
Private Key (Required) The RSA or DSA OpenSSH key file for the user.
Passphrase The passphrase for the private key, if required.
Privilege Escalation

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation.

Thycotic Secret Server Options

The following table describes the additional options to configure when using Thycotic Secret Server as the authentication method for SSH credentials.

Option Description

Username

(Required) The username for a user on the target system.
Thycotic elevate privileges with

The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection for this setting determines the specific options you must configure. For more information, see Privilege Escalation.

Thycotic Secret Name The Secret Name value on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want Tenable Security Center to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, Tenable Security Center determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for a user on the Thycotic server.
Thycotic Password (Required) The password associated with the Thycotic Login Name you provided.
Thycotic Organization In cloud instances of Thycotic, the value that identifies the organization you want Tenable Security Center to target.
Thycotic Domain The domain, if set for the Thycotic server.
Verify SSL Certificate

If enabled, Tenable Security Center verifies the SSL Certificate on the Thycotic server.

For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

Use Private Key If enabled, Tenable Security Center uses key-based authentication for SSH connections instead of password authentication.

WALLIX Bastion Options

The following table describes the additional options to configure when using WALLIX Bastion as the authentication method for SSH credentials.

Option Description Required

WALLIX Host

The IP address for the WALLIX Bastion host.

yes

WALLIX Port

The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443.

yes

Authentication Type

Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements).

no

WALLIX User

Your WALLIX Bastion user interface login username.

yes
WALLIX Password Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. yes
WALLIX API Key The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. yes
Get Credential by Device Account Name

The account name associated with a Device you want to log in to the target systems with.

Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system.

Required only if you have a target and/or device with multiple accounts.

HTTPS

This is enabled by default.

Caution: The integration fails if you disable HTTPS.

yes

Verify SSL Certificate

This is disabled by default and is not supported in WALLIX Bastion PAM integrations.

no

Privilege Escalation

This enables WALLIX Bastion Privileged Access Management (PAM). Use the drop-down menu to select the privilege elevation method. To bypass this function, leave this field set to Nothing.

Caution: In your WALLIX Bastion account, the WALLIX Bastion super admin must have enabled "credential recovery" on your account for PAM to be enabled. Otherwise, your scan may not return any results. For more information, see your WALLIX Bastion documentation.

Note: Multiple options for privilege escalation are supported, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through WALLIX Bastion PAM. The Escalation Account Name field is then required to complete your privilege escalation.

Note: For more information about supported privilege escalation types and their accompanying fields, see Privilege Escalation.

Required if you wish to escalate privileges.