The recommended way of authenticating to Linux systems is by using public/private keys. The following instructions describe how to create keys for authenticating and configure the F-Secure Elements Security Center for Linux authenticated scanning using keys.
-
- Log on to the Linux system with the F-Secure Elements Vulnerability Management user account and create a new key pair using the following command:
ssh-keygen -t rsa -b 4096 -f targetKey
We recommend protecting the key with a passphrase.
Note: The file name of the private key must include the .pem extension. The key is generated in the correct format, so you only have to rename the file to add the extension: mv targetKey targetKey.pem.
-
- Use the following command to add the new public key to the authorized_keys file:
cd /home/radar-user/.ssh
touch authorized_keys
chmod 600 authorized_keys
cat targetKey.pub >> authorized_keys
Note: To use the same key on several systems, you need to copy targetKey.pub there and repeat this step on each target.
-
- Verify that the key-based authentication works by logging in from a different system using the private key targetKey.pem.
You can do this on Windows machines with the PuTTY app or on Linux by running the following command: ssh -i targetKey.pem radar-user@<target-ip>.
Assuming the Linux systems have been configured to allow authentication by keys, you only need to configure the F-Secure Elements Security Center to use the keys.
- In the F-Secure Elements Security Center, go to Templates and open the Network scan templates tab.
- Create a new scan template or edit an existing one.
- Enable Linux authenticated scanning using keys as authentication method, and specify the SSH port, encryption key, and the username and passphrase (optional).
- Save the template.
- In the F-Secure Elements Security Center, go to Network scans and in the Group view, find the scan group that you want to set up for authenticated scanning.
- Click the menu icon and select Edit scan group.
- Configure the scan group to use the scan node and template that has been prepared for Linux authenticated scanning.
- Save the changes.
If everything has been configured correctly, it is now possible to scan Linux systems using an authenticated context.