I want to use ssh certificate for a connection innitiated from a VM Box (FS-3100) to a FreeBSD.
KB54734 can be seen as read and understood.
I exported the Public keys from the VM-Box.
I copied them from the VM-Box on the target host.
I converted them in openssh format.
I used the correct username in the scan's credential section.
But it does not work.
(A similar ssh test connection based on certificates from a different box to my target host works well, so naming and permission of the local sshd can be seen as correct.)
In the logfile I find: "foundstone did not send identifikation string".
Anyone a hint what the problem may be.
After a couple of hours of testing:
Behaviour identical on FreeBSD and Ubuntu.
With Username/Password all works perfectly.(i.e. "password or certificate")
With Username/Certificate it doesn't. (i.e. "certificate only")
Certificate is accepted by the machine as can be seen in the auth.log of the unix boxes , that is not the problem.
I have 2 possible causes:
a) I have to change PAM-Config for sshd
(but key based login via ssh works for these unix boxes)
b) VM is broken when using sshd and keys
Did anyone ever successfully used VM with ssh-certificates (with "certificate only" choosed in the credentials section)???
I don't have a quick FreeBSD VM to try this on, but a quick test is to enable the Verbose Shell Logging Tweak:
[HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or
[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks] (for 64-bit host)
** if the key "Tweaks" doesn't exist, create it. **
LogShell DWORD Value 'ff'
Rescan the device, and look in the daily log:
for 'plink' -> you should see the string we issue from the engine. Try it from the command line. If it doesn't work from the Engine Command line, then it's not going to work inside the product.
if you're still having issues, please get an SR opened so we can help you research it.
Oh, one other thing. I do know we don't send the keyring if the scan is an audit type scan (OVAL/XCCDF/etc.). That's fixed in 7.5.1, but if this is a normal Shell Module Scan that wouldn't apply.
thanks for your hint. After applying the registry change I see in the mentioned logfile:
[HOST-IP]: SHELL: Logon succeeded.
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: Connection Succeeded.
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_CERTIFICATE: Yes
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_PASSWORD: No
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_TELNET: No
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV1: No
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV2: Yes
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_GOT_ROOT: No
2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | [HOST-IP]: Connection successful. Launching scripts...
So it works :-)
But in the "scan status" section I see:
1 of 1 Addresses Found (100%)
1 Services Found
1 Average services per address
1 of 1 Discovery Batches Completed
0 Successful Login(s)
So may be it is a bug in the presentation of the status and it worked all the time correctly?
regards & thx :-)