How to configure SSH Keys for Nessus



  • Enjoy 🙂


    Create Scan User and Scan Group


    sudo useradd -m scan_user
    sudo groupadd scan
    sudo usermod -aG scan scan_user
    
    

    Create .ssh directory and set permissions


    sudo mkdir /home/scan_user/.ssh
    sudo chown -R scan_user:scan_user /home/scan_user
    
    

    Generate key and set permissions


    
    sudo -u scan_user ssh-keygen -f /home/scan_user/.ssh/id_rsa -t rsa -N ''
    sudo -u scan_user mv /home/scan_user/.ssh/id_rsa.pub /home/scan_user/.ssh/authorized_keys
    sudo -u scan_user chmod 0600 /home/scan_user/.ssh/authorized_keys
    sudo -u scan_user chmod 0700 /home/scan_user/.ssh
    
    

    Enable Public Key Authentication


    sudo echo '' >> /etc/ssh/sshd_config
    sudo echo '' >> /etc/ssh/sshd_config
    sudo echo '#***********************************************************' >> /etc/ssh/sshd_config
    sudo echo '# Enable RSA Key Authentication ' >> /etc/ssh/sshd_config
    sudo echo '#***********************************************************' >> /etc/ssh/sshd_config
    sudo echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
    sudo echo 'RSAAuthentication yes' >> /etc/ssh/sshd_config
    
    

    Set minimum permissions for scanning


    sudo echo '' >> /etc/ssh/sshd_config
    sudo echo '' >> /etc/ssh/sshd_config
    sudo echo '#***********************************************************' >> /etc/sudoers
    sudo echo '# Set minimum permissions for scanning ' >> /etc/sudoers
    sudo echo '#***********************************************************' >> /etc/sudoers
    sudo echo '%scan    ALL= NOPASSWD:/usr/sbin/dmidecode, /bin/netstat, /bin/uname' >> /etc/sudoers
    
    

    Restart SSH


    sudo systemctl restart sshd
    
    

    Copy key file to your PC for upload to Nessus
    Commented out so you can run manually.


    # sudo scp /home/scan_user/.ssh/id_rsa [email protected]:servername_scan_key
    
    

    Test Logging in via SSH Key from your box.
    Commented out so you can run manually.


    # ssh -i servername_scan_key [email protected]
    


  • All cleaned up 😉



  • Updated for 100% automation. Tested on Ubuntu 18.04 and Ubuntu 16.04



  • Thanks for posting this. I know how interesting their instructions are thanks to your adventures yesterday.



  • @travisdh1 said in How to configure SSH Keys for Nessus:

    Thanks for posting this. I know how interesting their instructions are thanks to your adventures yesterday.

    You think this would be super important to them. I guess everyone just uses password auth with sudo access 🤷♂

    Or maybe they just use windows 🤦♂



  • @IRJ said in How to configure SSH Keys for Nessus:

    Or maybe they just use windows

    Those licenses aren't that expensive compared to the 15 seconds it takes to setup key access, right?



  • @DustinB3403 said in How to configure SSH Keys for Nessus:

    @IRJ said in How to configure SSH Keys for Nessus:

    Or maybe they just use windows

    Those licenses aren't that expensive compared to the 15 seconds it takes to setup key access, right?

    Sure, but it took me half a day with terrible documentation.

    I can understand some kb articles that are outdated/broken, but you think account setup would be an extremely important article that is maintained and tested at least quarterly. Whoever wrote that article, did not only have incorrect information, but they seemed to have never made a blog post before.

    Sometimes explanations came before or after the listed command, and some things had no explanations at all. It wasnt even consistent throughout the article.



  • @IRJ said in How to configure SSH Keys for Nessus:

    Sure, but it took me half a day with terrible documentation.

    But you also didn't follow the KISS method and blindly followed that bad documentation. Rather than stepping back and saying "there is no f'ing way it's this difficult on linux"



  • Isn't this step redundant?

    sudo mkdir /home/scan_user/.ssh
    sudo chown -R scan_user:scan_user /home/scan_user
    

    As ssh-keygen will create these directories and set the ownership?



  • @DustinB3403 said in How to configure SSH Keys for Nessus:

    Isn't this step redundant?

    sudo mkdir /home/scan_user/.ssh
    sudo chown -R scan_user:scan_user /home/scan_user
    

    As ssh-keygen will create these directories and set the ownership?

    It could be extra steps, but we are not charged per command issued in the terminal 😉

    Especially since it was scripted.



  • @DustinB3403 said in How to configure SSH Keys for Nessus:

    Isn't this step redundant?

    sudo mkdir /home/scan_user/.ssh
    

    I think that one is needed, but you could do it like this without elevating priveleges.

    sudo -u scan_user mkdir /home/scan_user/.ssh


  • @DustinB3403 said in How to configure SSH Keys for Nessus:

    Isn't this step redundant?

    sudo mkdir /home/scan_user/.ssh
    sudo chown -R scan_user:scan_user /home/scan_user
    

    As ssh-keygen will create these directories and set the ownership?

    It certainly does on Fedora.


Log in to reply