cancel
Showing results for 
Search instead for 
Did you mean: 
jnkaiser
Level 8

ssh-certificate did not send id string?

Hello,

I want to use ssh certificate for a connection innitiated from a VM Box (FS-3100) to a FreeBSD.

KB54734 can be seen as read and understood.

I exported the Public keys from the VM-Box.

I copied them from the VM-Box on the target host.

I converted them in openssh format.

I used the correct username in the scan's credential section.

But it does not work.

(A similar ssh test connection based on certificates from a different box to my target host works well, so naming and permission of the local sshd can be seen as correct.)

In the logfile I find: "foundstone did not send identifikation string".

Anyone a hint what the problem may be.

Best regards

JK

0 Kudos
3 Replies
jnkaiser
Level 8

Re: ssh-certificate did not send id string?

After a couple of hours of testing:

Behaviour identical on FreeBSD and Ubuntu.

With Username/Password all works perfectly.(i.e. "password or certificate")

With Username/Certificate it doesn't. (i.e. "certificate only")

Certificate is accepted by the machine as can be seen in the auth.log of the unix boxes , that is not the problem.

I have 2 possible causes:

a) I have to change PAM-Config for sshd

    (but key based login via ssh works for these unix boxes)

b) VM is broken when using sshd and keys

  

Did anyone ever successfully used VM with ssh-certificates (with "certificate only" choosed in the credentials section)???

regards

Jochen

0 Kudos
cgrim
Level 13

Re: ssh-certificate did not send id string?

Hi Jochen,

I don't have a quick FreeBSD VM to try this on, but a quick test is to enable the Verbose Shell Logging Tweak:

[HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

** if the key "Tweaks" doesn't exist, create it. **

LogShell DWORD Value 'ff'

Rescan the device, and look in the daily log:

~Foundstone\Logs\LogFile.<date>.txt

for 'plink' ->  you should see the string we issue from the engine.  Try it from the command line.  If it doesn't work from the Engine Command line, then it's not going to work inside the product.

if you're still having issues, please get an SR opened so we can help you research it.

Thanks!
Cathy

Oh, one other thing.  I do know we don't send the keyring if the scan is an audit type scan (OVAL/XCCDF/etc.).  That's fixed in 7.5.1, but if this is a normal Shell Module Scan that wouldn't apply.

0 Kudos
jnkaiser
Level 8

Re: ssh-certificate did not send id string?

Hi Cathy,

thanks for your hint. After applying the registry change I see in the mentioned logfile:

[...]

[HOST-IP]: SHELL: Logon succeeded.

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: Connection Succeeded.

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_CERTIFICATE: Yes

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_PASSWORD: No

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_TELNET: No

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV1: No

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV2: Yes

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_GOT_ROOT: No

2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | [HOST-IP]: Connection successful. Launching scripts...

So it works :-)

But in the "scan status" section I see:

Discovery

100%

1 of 1 Addresses Found (100%)

1 Services Found

1 Average services per address

1 of 1 Discovery Batches Completed

0 Successful Login(s)

So may be it is a bug in the presentation of the status and it worked all the time correctly?

regards & thx :-)

Jochen

0 Kudos