RVY200499: Linux/UNIX remote execution login methods

General Information

This article describes the login methods available for Remote Execution and Zero-Touch inventory methods performed by RayVentory Scan Engine (RVSE) for scanning Linux/UNIX devices.

It's recommended to verify and align the following steps with your subject-matter experts or administrators of your Linux/Unix devices.

We are using the library SSH.NET which supports the following private key formats:

  • RSA in OpenSSL PEM and ssh.com format
  • DSA in OpenSSL PEM and ssh.com format
  • ECDSA 256/384/521 in OpenSSL PEM format
  • ECDSA 256/384/521, ED25519 and RSA in OpenSSH key format

Private keys can be encrypted using one of the following cipher methods:

  • DES-EDE3-CBC
  • DES-EDE3-CFB
  • DES-CBC
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC

For further information, please read the documentation for the library: https://github.com/sshnet/SSH.NET

Username and Password

The simplest way is to create a user and password combination: 

1. Create a user (e.g.  useradd RayVentory). 

2. Set a password for the User (passwd RayVentory). 

3. Set permissions like mentioned in these articles:
Remote Execution: RVY200350: Required permission to run remote execution tasks against Linux/UNIX devices
Zero-Touch: RVY200442: Required Permissions for a Zero Touch Inventory of Linux, UNIX, and Mac Devices

4. Add User to the Credentials Store of RVSE
Important hint: prefer the "privileged" option and add the elevation password. (or you can leave the password empty, if the user has NOPASSWD rights)
Superusers like "root" are commonly not permitted to execute every command without elevated rights!

RVSE:

Pic10.png

 

 

 

SSH Key-Based Authentication

This description might need adoptions, depending on if using Windows or other platforms.

1.  Login to Linux/Unix system with the designated user account used for RayVentory

2.  Create a local folder .ssh in the users home directory, if such does not exist already

3.  If the file ./.ssh/authorized_keys does not exist, create it. 
    To this file we need to add the public key later

4.  Make sure your sshd configuration and service is set up properly 

5.  Download puttygen.exe from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html 

6.  Check the download with your Antivirus tool

7.  Start puttygen.exe (screenshot taken from Windows)

blobid1.png

8.  Start generating a public key by selecting the [Generate] button

9.  Move your mouse around to randomly generate the key

10. Set a "Key passphrase" for the public key. This password is required later
     for changing the public key and generating private keys.

11. Save the public key as file to disk

12. Copy all data within the public key field and add it to the ./ssh/authorized_keys file
     within the user directory of the RayVentory user on the Linux or Unix machine.
     Section highlighted in the following screenshot:

blobid2.png
Hint: You might use alternative ways on how to deploy public keys for the "sshd" service.

 13. Export the private key as an OpenSSH key and save it

Pic11.png

14. Copy the file containing the "OpenSSH" private key to the RVSE server

 

Enabling RVSE using the private key file

1. Start RVSE
2. Open the Credential Store and create an SSH credential
3. Select Authentication method "Key file"
4. A
dd the Username, path of the "OpenSSH key file" and Key passphrase
5. Select option "Privileged" and enter the elevation password

Pic12.png

 

Alternatively you can create the SSH-Keys directly on a Linux/Unix machine

1. Create the SSH-Key with the following command:

ssh-keygen -m PEM -t rsa -b 2048

2. Use the following command to add the public key to the authorized keys:

 ssh-copy-id <user>@"IP address of the linux machine"

3. Copy the Private-Key file (file at /home/<user>/.ssh) onto your RVSE server

 

Deploy Public Key file to Linux/Unix systems

After creating a new Public Key for SSH and completing tests with RVSE, the public key is ready for deployment to all Linux/Unix systems.

 

Comments

Powered by Zendesk