3 Replies Latest reply on Oct 25, 2012 5:48 AM by jnkaiser

    ssh-certificate did not send id string?

    jnkaiser

      Hello,

       

      I want to use ssh certificate for a connection innitiated from a VM Box (FS-3100) to a FreeBSD.

      KB54734 can be seen as read and understood.

       

      I exported the Public keys from the VM-Box.

      I copied them from the VM-Box on the target host.

      I converted them in openssh format.

      I used the correct username in the scan's credential section.

      But it does not work.

      (A similar ssh test connection based on certificates from a different box to my target host works well, so naming and permission of the local sshd can be seen as correct.)

       

      In the logfile I find: "foundstone did not send identifikation string".

       

      Anyone a hint what the problem may be.

       

      Best regards

      JK

        • 1. Re: ssh-certificate did not send id string?
          jnkaiser

          After a couple of hours of testing:

          Behaviour identical on FreeBSD and Ubuntu.

           

          With Username/Password all works perfectly.(i.e. "password or certificate")

          With Username/Certificate it doesn't. (i.e. "certificate only")

           

          Certificate is accepted by the machine as can be seen in the auth.log of the unix boxes , that is not the problem.

           

          I have 2 possible causes:

          a) I have to change PAM-Config for sshd

              (but key based login via ssh works for these unix boxes)

          b) VM is broken when using sshd and keys

            

           

          Did anyone ever successfully used VM with ssh-certificates (with "certificate only" choosed in the credentials section)???

           

          regards

          Jochen

          • 2. Re: ssh-certificate did not send id string?

            Hi Jochen,

             

            I don't have a quick FreeBSD VM to try this on, but a quick test is to enable the Verbose Shell Logging Tweak:

             

            [HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

            [HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

            ** if the key "Tweaks" doesn't exist, create it. **

             

            LogShell DWORD Value 'ff'

             

            Rescan the device, and look in the daily log:

            ~Foundstone\Logs\LogFile.<date>.txt

             

            for 'plink' ->  you should see the string we issue from the engine.  Try it from the command line.  If it doesn't work from the Engine Command line, then it's not going to work inside the product.

             

            if you're still having issues, please get an SR opened so we can help you research it.

             

            Thanks!
            Cathy

             

             

            Oh, one other thing.  I do know we don't send the keyring if the scan is an audit type scan (OVAL/XCCDF/etc.).  That's fixed in 7.5.1, but if this is a normal Shell Module Scan that wouldn't apply.

            1 of 1 people found this helpful
            • 3. Re: ssh-certificate did not send id string?
              jnkaiser

              Hi Cathy,

               

              thanks for your hint. After applying the registry change I see in the mentioned logfile:

              [...]

              [HOST-IP]: SHELL: Logon succeeded.

               

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: Connection Succeeded.

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_CERTIFICATE: Yes

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_PASSWORD: No

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_TELNET: No

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV1: No

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_WITH_SSHV2: Yes

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | HOST-IP: SHELL_CONNECTED_GOT_ROOT: No

              2012-10-25 12:25:09+01:00 | | 4 | ShellModule | 0x0B30 | [HOST-IP]: Connection successful. Launching scripts...

               

              So it works :-)

               

              But in the "scan status" section I see:

              Discovery
              100%

              1 of 1 Addresses Found (100%)

              1 Services Found

              1 Average services per address

              1 of 1 Discovery Batches Completed

              0 Successful Login(s)

               

               

              So may be it is a bug in the presentation of the status and it worked all the time correctly?

               

              regards & thx :-)

               

              Jochen