Ah I see that George is DEEP on this list :) Thanks for your support I'm sure that we all could use 500 other people like you answering questions.
-----Original Message----- From: George Theall [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 8:53 AM To: JC Cc: [EMAIL PROTECTED] Subject: Re: Openssl RSA private key passphrase support question On Mon, Mar 24, 2003 at 11:53:35PM -0800, JC wrote: > Maybe I'm just silly, but from what I can see there doesn't seem to be > any private key encryption used. If this is the case can someone help me > understand why private key encryption is not being used? <BEGIN ORIGINAL> My feeling is that nessus-mkcert and nessus-mkcert-client are relatively simple hacks to help secure communications between client and server rather than provide for a full-blown public key infrastructure. </BEGIN ORIGINAL> I'm happy you feel that way; I was somewhat asking a design decision. I can see from the mailing list archives and just from some of the questions that you've answered that we have a lot of incapable people out there in regard to x509 based PKI (see http://msgs.securepoint.com/cgi-bin/get/nessus-0007/60.html). If I would have got a remark from Renaud or one of the other developers specifying that based on their initial usability tests of 1_x_x. That nessus users couldn't wrap their minds around x509 based PKI, and allowing for more complex situations would benefit only a few seasoned pros. In affect alienating the people they were trying to help, so things like support for private key pass phrase(s) not "passwords" was never asked for and thus never added. Then I would have been sufficiently happy. <BEGIN ORIGINAL> If you're *really* concerned about security, you'll purchase / roll your own PKI. This way, you don't worry about things like the private key for the CA, as generated by nessus-mkcert, lacking a password! </BEGIN ORIGINAL> There is this cool trick you see all you need to do to test this out is to use the openssl utility. Its really easy Openssl rsa -in key_[user].pem -des3 -out key_[user].pem Then type in a pass phrase, and verify it. Now you have a crypted private key ;) If you just build Nessus from scratch, you run the nessus-mkcert, now you run the nessus-mkcert-client. Everything works and you go to the /tmp folder with the files and crypt your key with the command above. Then you specify your key_file and cert_file in your .nessusrc and try to connect to the server you'll get something like this [$PREFIX]/nessus/users/[username]/auth/password: No such file or directory You'll scratch your head and wonder why then you'll strace the thing and you'll see something like <BEGIN STRACE> fstat64(7, {st_mode=S_IFREG|0600, st_size=4351, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002d000 read(7, "Certificate:\n Data:\n V"..., 4096) = 4096 read(7, "\nLm5hc2EuZ292MAkGA1UdEgQCMAAwDQY"..., 4096) = 255 brk(0x8187000) = 0x8187000 brk(0x8188000) = 0x8188000 close(7) = 0 munmap(0x4002d000, 4096) = 0 open("/root/key_[user].pem", O_RDONLY) = 7 fstat64(7, {st_mode=S_IFREG|0600, st_size=951, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002d000 read(7, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 951 getpid() = 24823 getpid() = 24823 getpid() = 24823 close(7) = 0 munmap(0x4002d000, 4096) = 0 </BEGIN STRACE> The problem is the --help and the man page for the nessus CLI client don't provide for the specification of private key pass phrase, so even if I would have "you'll purchase / roll your own PKI" and provided for private key pass phrase support it still wouldn't work. I possibly would be out money and still have this problem. I didn't want an opinion I although I would have taken one, but what I was looking for was 'specify the pass phrase at the command line with the -k option or specify private_key_passphrase = "somevery_very-very-very-very-very-very Secure passphrase" in your .nessusrc ' even the classic "Duly Noted" would have been sufficient. JC
