Home
My Page
Projects
OpenVAS

[#1502] SSH errors during scan when using public-private key pairs

Date:
2010-05-14 13:36
Priority:
3
State:
Open
Submitted by:
John Bradley (jbradley)
Assigned to:
Nobody (None)
Architecture:
None
Product:
OpenVAS
Operating System:
Linux
Component:
None
Version:
None
Severity:
None
Resolution:
None
Hardware:
None
URL:
 
Summary:
SSH errors during scan when using public-private key pairs

Detailed description
I am running OpenVAS (current stable versions as of May 14, 2010, built from source) on a 64-bit Ubuntu 10.04 machine (OpenVAS's dependencies have been installed from repository). I am trying to use the LSC Credentials Manager to safely create an account on my target Linux machines. I can create the credentials and local accounts, and I can use them to manually log into the target machines (AFTER I manually chmod the private key to 600). However, the credentials fail through OpenVAS.





In the targets' authlogs, I get the following errors that I believe are related to this issue:



pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=aeon user=openvas

error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)

error: ssh_rsa_verify: len 257 > modlen 256





The following will appear in a report after a scan:



SSH LOG MESSAGE:

Reported by NVT "Determine OS and list of installed packages via SSH login" (1.3.6.1.4.1.25623.1.0.50282):



Public key authentication failed.



SSH SECURITY NOTE

Reported by NVT "SSH Authorization" (1.3.6.1.4.1.25623.1.0.90022):



It was not possible to login using the SSH crendentials supplied.

Hence local security checks are not enabled.





I receive these errors whether I use generated credentials or manually-created credentials using instructions from the documentation. Example target machines include a 64-bit Ubuntu 10.04 server and a 32-bit Ubuntu 9.10 workstation. Password-based authentication works fine but is impractical.



Thanks for your help!

Followup

Message
Date: 2010-12-14 17:50
Sender: Gwyn Connor

Hello,

I ran into the exact same problem and I believe that this problem has been reported before: [#971] Openvas is unabled to login with ssh key

My setup is the same as Johns. I also use OpenVAS 3.1 compiled from source on Ubuntu Desktop 10.04 (64-bit) and I ran tests against an up-to-date Gentoo server (openssh-5.6_p1-r2) as well as a very old OpenSUSE 10.3 machine
(openssh-4.6p1-58.6). Both SSHDs reported the same error.

OpenSUSE: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)
Gentoo: error: RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

I used my own previously generated RSA key and generated a PKCS#8 key exactly as described in http://www.openvas.org/performing_lsc.html . Login with the PKCS#8 key works with an ordinary ssh client, it is only OpenVAS that fails.

I even poked around in the source and found the gcry_sexp_build call in nasl_crypto2.c, but from what I can tell with the gcrypt API docs it looks OK with padding being done by the gcrypt library.

Is there a way in OpenVAS to fix the problem for RSA - beside switching to DSA as workaround?

Thanks,
gwyn
Date: 2010-11-12 20:30
Sender: John Bradley

Happy to report I've solved my own problem! I used an SQLite client to replace the credential's public and private keys and the private key's password.
Date: 2010-11-12 18:41
Sender: John Bradley

Hello again,

Is this workaround possible with OpenVAS 3? I am running into the same problem, only this time with credentials generated by GSA, and I cannot find a way to override the certificates with the working DSA certs from my OpenVAS 2 setup.

Thanks,
John Bradley
Date: 2010-05-14 19:32
Sender: John Bradley

That did the trick! I wish I had thought about that earlier... Thanks!
Date: 2010-05-14 19:13
Sender: Michael Meyer




Workaround:

Please try with a DSA Key. My user is called openvas in this example.

ssh-keygen -t dsa -f ~/.ssh/id_dsa_openvas -C "OpenVAS-Local-Security-Checks-Key"
openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_dsa_openvas -out ~/.ssh/id_dsa_openvas.p8
chmod 600 ~/.ssh/id_dsa_openvas.p8

Add ~/.ssh/id_dsa_openvas.pub to the /home/openvas/.ssh/authorized_keys on the target maschine.

Make sure you are able to login with this key.

ssh -i ~/.ssh/id_dsa_openvas.p8 openvas@<target>

If that work, add in OpenVAS-Client:

SSH public key: ~/.ssh/id_dsa_openvas.pub
SSH private key: ~/.ssh/id_dsa_openvas.p8
SSH key passphrase: Your passphrase

Please let us know if that works for you.
Date: 2010-05-14 14:21
Sender: John Bradley

Looking through the openvas log, I noticed a few things that might be helpful. These are in no particular order, but they occur during scans:

shared_socket: Secret/SSH/socket is unknown (Occurs after each local test returns -1)
shared_socket: shared_socket_release: Secret/SSH/socket not found (8496)
-AND-
shared_socket: shared_socket_release: Secret/SSH/socket not found (17776)

Attached Files:

Changes:

No Changes Have Been Made to This Item


This site is hosted by Intevation GmbH
(Datenschutzerklärung und Impressum | Privacy Policy and Imprint)