Using SSH public key authentication
You can use InsightVM to perform credentialed scans on assets that authenticate users with SSH public keys. This method, also known as asymmetric key encryption, involves the creation of two related keys, or large, random numbers:
- a public key that any entity can use to encrypt authentication information
- a private key that only trusted entities can use to decrypt the information encrypted by its paired public key
When generating a key pair, keep the following guidelines in mind:
- The application supports SSH protocol version 2 RSA, DSA, and ECDSA keys.
- RSA keys can range between 768 and 16384 bits.
- DSA keys must be 1024 bits.
- ECDSA keys must be 256, 384, or 521 bits.
- Keys must be in
openssh-key-v1format or in PEM format.
This article provides general steps for configuring an asset to accept public key authentication. For specific steps, consult the documentation for the particular system that you are using.
ssh-keygen process will provide the option to enter a pass phrase. It is recommended that you use a pass phrase to protect the key if you plan to use the key elsewhere.
Generating a key pair
- Run the
ssh-keygencommand to create the key pair, specifying a secure directory for storing the new file.
This example involves a 2048-bit RSA key and incorporates the
/tmp directory, but you should use any directory that you trust to protect the file:
1ssh-keygen -t rsa -b 2048 -f /tmp/id_rsa
This next example generates the key in PEM format:
1ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/id_rsa
This command generates the private key files,
id_rsa, and the public key file,
- Make the public key available for the application on the target asset.
- Make sure that the computer with which you are generating the key has a
.sshdirectory. If not, run the
mkdircommand to create it:
- Copy the contents of the public key that you created by running the command in step 1. The file is in
Root access note
Some checks require root access.
Append the contents on the target asset of the
/tmp/id_rsa.pub file to the
.ssh/authorized_keys file in the home directory of a user with the appropriate access-level permissions that are required for complete scan coverage.
1cat /[directory]/id_rsa.pub >> /home/[username]/.ssh/authorized_keys
- Provide the private key.
After you provide the private key, you must provide the application with SSH public key authentication.
Providing SSH public key authentication
If you want to add SSH credentials while configuring a new site, click the Create site button on the Home page.
Click the Create tab at the top of the page and then select Site from the dropdown list.
If you want to add SSH credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
- Click the Authentication tab in the site configuration.
- Click Add Credentials.
- In the Add Credentials form, enter a name and description for a new set of credentials if necessary.
- Click Account under Add Credentials.
- Select Secure Shell (SSH) Public Key as the from Service dropdown list.
Default file information
ssh/authorized_keys is the default file for most OpenSSH and dropdown-based SSH daemons. Consult the documentation for your Linux distribution to verify the appropriate file.
Be aware that this Secure Shell (SSH) Public Key authentication method is different from the method listed in the dropdown menu as Secure Shell (SSH). This latter method incorporates passwords instead of keys.
- Enter the appropriate user name.
- (Optional) Enter the Private key password used when generating the keys.
- Confirm the private key password.
- Copy the contents of that file into the PEM-format private key text box. The private key that you created is the
/tmp/id_rsafile on the target asset.
- (Optional) Elevate permissions to sudo or su. You can elevate permissions for both Secure Shell (SSH) and Secure Shell (SSH) Public Key services.
- (Optional) Enter the appropriate user name. The permission elevation user needs to be set to
root. To do this, the user's permission elevation type needs to be set to
sudoand the permission elevation user needs to be set as
- The user name can be empty for
sudocredentials. If you are using
sucredentials with no user name, the credentials will default to
rootas the user name.
If the SSH credential provided is a
root credential, user ID = 0, the permission elevation credentials will be ignored, even if the
root account has been renamed. The application will ignore the permission elevation credentials when any account,
root or otherwise named, with user ID 0 is specified.
- When you have finished configuring the credentials, click Create if it is a new set, or Save if it is a previously created set.