Using SSH public key authentication

You can use Nexpose to perform credentialed scans on assets that authenticate users with SSH public keys. This method, also known as asymmetric key encryption, involves the creation of two related keys, or large, random numbers:

  • a public key that any entity can use to encrypt authentication information
  • a private key that only trusted entities can use to decrypt the information encrypted by its paired public key

When generating a key pair, keep the following guidelines in mind:

  • The application supports SSH protocol version 2 RSA, DSA, ECDSA, and Ed25519 keys.
    • RSA keys can range between 768 and 16384 bits.
    • DSA keys must be 1024 bits.
    • ECDSA keys must be 256, 384, or 521 bits.
    • Ed25519 keys are 256 bits and can not be altered.
  • Keys must be in openssh-key-v1 format or in PEM format.

Supported SSH key exchange algorithms

Below are SSH key exchange algorithms that are supported. Your assets need to be configured with at least one of these algorithms in order for the SSH public key credentials to be successful.

  • curve25519-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

This article provides general steps for configuring an asset to accept public key authentication. For specific steps, consult the documentation for the particular system that you are using.

The ssh-keygen process will provide the option to enter a passphrase. It is recommended that you use a passphrase to protect the key if you plan to use the key elsewhere.

Generating a key pair

  1. Run the ssh-keygen command to create the key pair, specifying a secure directory for storing the new file.

This example involves a 2048-bit RSA key and incorporates the /tmp directory, but you should use any directory that you trust to protect the file:

 
1
ssh-keygen -t rsa -b 2048 -f /tmp/id_rsa

This next example generates the key in PEM format:

 
1
ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/id_rsa

This command generates the private key files, id_rsa, and the public key file, id_rsa.pub.

  1. Make the public key available for the application on the target asset.
  2. Make sure that the computer with which you are generating the key has a .ssh directory. If not, run the mkdir command to create it:
 
1
mkdir /home/[username]/.ssh
  1. Copy the contents of the public key that you created by running the command in step 1. The file is in /tmp/id_rsa.pub file.

Root access note

Some checks require root access.

Append the contents on the target asset of the /tmp/id_rsa.pub file to the .ssh/authorized_keys file in the home directory of a user with the appropriate access-level permissions that are required for complete scan coverage.

 
1
cat /[directory]/id_rsa.pub >> /home/[username]/.ssh/authorized_keys
  1. Provide the private key.

After you provide the private key, you must provide the application with SSH public key authentication.

Providing SSH public key authentication

If you want to add SSH credentials while configuring a new site, click the Create site button on the Home page.

OR

Click the Create tab at the top of the page and then select Site from the dropdown list.

If you want to add SSH credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.

  1. Click the Authentication tab in the site configuration.
  2. Click Add Credentials.
  3. In the Add Credentials form, enter a name and description for a new set of credentials if necessary.
  4. Click Account under Add Credentials.
  5. Select Secure Shell (SSH) Public Key as the from Service dropdown list.

Default file information

ssh/authorized_keys is the default file for most OpenSSH and dropdown-based SSH daemons. Consult the documentation for your Linux distribution to verify the appropriate file.

Be aware that this Secure Shell (SSH) Public Key authentication method is different from the method listed in the dropdown menu as Secure Shell (SSH). This latter method incorporates passwords instead of keys.

  1. Enter the appropriate user name.
  2. (Optional) Enter the Private key password used when generating the keys.
  3. Confirm the private key password.
  4. Copy the contents of that file into the PEM-format private key text box. The private key that you created is the /tmp/id_rsa file on the target asset.
  5. (Optional) Elevate permissions to sudo or su. You can elevate permissions for both Secure Shell (SSH) and Secure Shell (SSH) Public Key services.
  6. (Optional) Enter the appropriate user name. The permission elevation user needs to be set to root. To do this, the user's permission elevation type needs to be set to sudo and the permission elevation user needs to be set as root.
  7. The user name can be empty for sudo credentials. If you are using su credentials with no user name, the credentials will default to root as the user name.

If the SSH credential provided is a root credential, user ID = 0, the permission elevation credentials will be ignored, even if the root account has been renamed. The application will ignore the permission elevation credentials when any account, root or otherwise named, with user ID 0 is specified.

  1. When you have finished configuring the credentials, click Create if it is a new set, or Save if it is a previously created set.

SSH Public Key configuration