You could try un-commenting that entry and re-starting sshd before
doing the scan.
I meant to say, un-comment that entry and change the parameter from
'yes' to 'no'.
________________________________
From: nessus-***@list.nessus.org
[mailto:nessus-***@list.nessus.org] On Behalf Of John Scherff
Sent: Tuesday, January 16, 2007 10:32 AM
To: Thomas Nguyen Van; ***@list.nessus.org
Subject: RE: SSH Credentials problem
Thomas,
Generally, items that are commented out in sshd_config are shown with
their default settings. This probably means your sshd is doing
reverse-map checking. You could try un-commenting that entry and
re-starting sshd before doing the scan.
On top of that, ReverseMappingCheck has been deprecated, so either your
sshd is old (bad) or your config file is just a carry-over from an old
version (not-so-bad). You should definitely check your version of sshd
and apply any available patches. There are a few things you can get
away with not patching for a long time, but SSH ain't one of them.
Finally, you could also try putting your scanning server in /etc/hosts.
And I definitely concur with Ron Gula on putting sshd into debug mode
for troubleshooting purposes.
Good luck,
John
________________________________
From: Thomas Nguyen Van [mailto:***@bt.com]
Sent: Tuesday, January 16, 2007 6:35 AM
To: John Scherff; ***@list.nessus.org
Subject: RE: SSH Credentials problem
Afternoon John,
Sorry for the delay and below my answers to your questions in green.
Thanks for all.
Thomas Nguyen Van (CEH) | OneIT Technical Security Consultant | OneIT
Operations | BT |
E: ***@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432
5899| www.btireland.com
-----Original Message-----
From: John Scherff [mailto:***@24hourfit.com]
Sent: 15 January 2007 18:14
To: Thomas Nguyen Van; ***@list.nessus.org
Subject: RE: SSH Credentials problem
Thomas,
Does your Nessus scanner have a PTR record (reverse-map entry)
in the DNS?
There is no PTR record and no DNS is defined.
cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 myserver localhost.localdomain localhost
Some implementations of sshd have a bug wherein you can't turn
off reverse-map checking (setting 'ReverseMappingCheck' to 'no' in the
sshd_config file has no effect).
grep -i "reverse" /etc/ssh/sshd_config
#ReverseMappingCheck yes
Also, are you doing anything with TCP wrappers on the target?
I'm not familiar with TCP wrappers. Could you precise
your idea, please?
John Scherff
________________________________
From: nessus-***@list.nessus.org
[mailto:nessus-***@list.nessus.org] On Behalf Of Thomas Nguyen Van
Sent: Tuesday, December 19, 2006 8:26 AM
To: '***@list.nessus.org'
Subject: RE: SSH Credentials problem
Good afternoon,
In addition to my previous mail of today, I would like to add
those information:
We did the following tests:
Test 1 - Manual SSH connection to IP_Nessus_Target with
password: Ok
Test 2 - Manual SSH connection to IP_Nessus_Target with
public/private keys: Ok
Test 3 - Nessus SSH connection to IP_Nessus_Target with
password: Ok
Test 4 - Nessus SSH connection to IP_Nessus_Target with
public/private keys: Failed
The analyse of the /var/adm/messages file on IP_Nessus_Target
showed that:
Dec 19 16:05:55 IP_Nessus_Target sshd[13422]: [ID 800047
auth.info] Did not receive ident string from IP_Nessus_Scanner.
Dec 19 16:05:56 IP_Nessus_Target sshd[13423]: [ID 800047
auth.info] Could not reverse map address IP_Nessus_Scanner.
Dec 19 16:05:56 IP_Nessus_Target sshd[13423]: [ID 800047
auth.info] Connection closed by IP_Nessus_Scanner
Dec 19 16:06:01 IP_Nessus_Target sshd[13424]: [ID 800047
auth.info] Could not reverse map address IP_Nessus_Scanner.
Dec 19 16:06:01 IP_Nessus_Target sshd[13424]: [ID 800047
auth.info] Connection closed by IP_Nessus_Scanner
Dec 19 16:06:01 IP_Nessus_Target sshd[13425]: [ID 800047
auth.info] Did not receive ident string from IP_Nessus_Scanner.
Do you know why I read the message "Did not receive ident string
from IP_Nessus_Scanner." on the Nessus_Target?
Many thanks in advance
Regards,
Thomas
-----Original Message-----
From: Thomas Nguyen Van
Sent: 19 December 2006 13:04
To: '***@list.nessus.org'
Subject: SSH Credentials problem
Good afternoon,
I checked your Nessus' FAQ before calling you
(http://mail.nessus.org/pipermail/nessus/2006-September/msg00186.html)
and I have quiet the same problem as JeanPaul.
Actually, I activated the plugins "Local Checks Failed" (21745)
and scanned a solaris server. On the /var/log/message file, I can see
that nessus account was able to connect on the target server:
Dec 19 13:01:09 Server_Target sshd[7724]: [ID 800047
auth.info] Accepted publickey for nessus_account from nessus_server port
56364 ssh2
However, when I checked the .nbe file, I got the error message
associated to the plugin 21745 and I can't get any information like
security holes or general information with the plugin 12634.
I would really appreciate a clue to understand what happened.
Thanks a million
Thomas
BT Communications Ireland Limited
is a wholly owned subsidiary of BT Group plc
Registered in Ireland, Registration No. 141524
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland
This electronic message contains information (and may contain
files) from BT Communications Ireland Limited which may be privileged or
confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended
recipient be aware that any disclosure, copying, distribution or use of
the contents of this information and or files is prohibited. If you have
received this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.
http://www.btireland.ie
BT Communications Ireland Limited
is a wholly owned subsidiary of BT Group plc
Registered in Ireland, Registration No. 141524
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland
This electronic message contains information (and may contain files)
from BT Communications Ireland Limited which may be privileged or
confidential. The information is intended to be for the sole use of the
individual(s) or entity named above. If you are not the intended
recipient be aware that any disclosure, copying, distribution or use of
the contents of this information and or files is prohibited. If you have
received this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.
http://www.btireland.ie