General Information
This article describes the login methods available for Remote Execution and Zero-Touch inventory methods performed by RayVentory Scan Engine (RVSE) for scanning Linux/UNIX devices.
It's recommended to verify and align the following steps with your subject-matter experts or administrators of your Linux/Unix devices.
We are using the library SSH.NET which supports the following private key formats:
- RSA in OpenSSL PEM and ssh.com format
- DSA in OpenSSL PEM and ssh.com format
- ECDSA 256/384/521 in OpenSSL PEM format
- ECDSA 256/384/521, ED25519 and RSA in OpenSSH key format
Private keys can be encrypted using one of the following cipher methods:
- DES-EDE3-CBC
- DES-EDE3-CFB
- DES-CBC
- AES-128-CBC
- AES-192-CBC
- AES-256-CBC
For further information, please read the documentation for the library: https://github.com/sshnet/SSH.NET
Username and Password
The simplest way is to create a user and password combination:
1. Create a user (e.g. useradd RayVentory).
2. Set a password for the User (passwd RayVentory).
3. Set permissions like mentioned in these articles:
Remote Execution: RVY200350: Required permission to run remote execution tasks against Linux/UNIX devices
Zero-Touch: RVY200442: Required Permissions for a Zero Touch Inventory of Linux, UNIX, and Mac Devices
4. Add User to the Credentials Store of RVSE
Important hint: prefer the "privileged" option and add the elevation password. (or you can leave the password empty, if the user has NOPASSWD rights)
Superusers like "root" are commonly not permitted to execute every command without elevated rights!
RVSE:
SSH Key-Based Authentication
This description might need adoptions, depending on if using Windows or other platforms.
1. Login to Linux/Unix system with the designated user account used for RayVentory
2. Create a local folder .ssh in the users home directory, if such does not exist already
3. If the file ./.ssh/authorized_keys does not exist, create it.
To this file we need to add the public key later
4. Make sure your sshd configuration and service is set up properly
5. Download puttygen.exe from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
6. Check the download with your Antivirus tool
7. Start puttygen.exe (screenshot taken from Windows)
8. Start generating a public key by selecting the [Generate] button
9. Move your mouse around to randomly generate the key
10. Set a "Key passphrase" for the public key. This password is required later
for changing the public key and generating private keys.
11. Save the public key as file to disk
12. Copy all data within the public key field and add it to the ./ssh/authorized_keys file
within the user directory of the RayVentory user on the Linux or Unix machine.
Section highlighted in the following screenshot:
Hint: You might use alternative ways on how to deploy public keys for the "sshd" service.
13. Export the private key as an OpenSSH key and save it
14. Copy the file containing the "OpenSSH" private key to the RVSE server
Enabling RVSE using the private key file
1. Start RVSE
2. Open the Credential Store and create an SSH credential
3. Select Authentication method "Key file"
4. Add the Username, path of the "OpenSSH key file" and Key passphrase
5. Select option "Privileged" and enter the elevation password
Alternatively you can create the SSH-Keys directly on a Linux/Unix machine
1. Create the SSH-Key with the following command:
ssh-keygen -m PEM -t rsa -b 2048
2. Use the following command to add the public key to the authorized keys:
ssh-copy-id <user>@"IP address of the linux machine"
3. Copy the Private-Key file (file at /home/<user>/.ssh) onto your RVSE server
Deploy Public Key file to Linux/Unix systems
After creating a new Public Key for SSH and completing tests with RVSE, the public key is ready for deployment to all Linux/Unix systems.
Comments