On Mon, Dec 15, 2003 at 03:33:58PM +0000, Mark Watts wrote: > - I have nessusd installed - Mandrake's packages appear to have already > created a server certificate; how can I verify this?
I'm not familiar with Mandrake so here's what I would do:
As root, run the following command: "nessusd -s". This causes nessusd
to read its config file and display settings in effect. First, look for
the variable ssl_version, which may or may not exist. If it does, it
should not be "none". Then, make sure the following three variables are
set and point to files that exist on your host: cert_file, key_file, and
ca_file. These refer respectively to the server's certificate and
private key as well as the certificate authority (CA)'s certificate.
You should probably also think about whether you want to require all
users to authenticate with a certificate. If you do, then set
force_pubkey_auth to yes in nessusd.conf and restart your daemon.
> - I want to create a certificate for a client - nessus-mkcert-client is
> apparently the tool for this; what do I do with the certificate once it's
> generated, and should I be generating this on the client box or the server
> box?
There's some potential for confusion here -- both nessus-adduser and
nessus-mkcert-client are capable of creating certificates, although the
certificates created by the former are slightly wrong -- and some
potential pitfalls too. I'd recommend using nessus-mkcert-client to add
users and generate their certs.
You'll need to run nessus-mkcert-client as root on the host running the
server. The script will prompt you for various information used to
create certificates -- first default answers and then answers for each
user. When finished, the script will report something like:
Your client certificates are in /tmp/nessus-mkcert.19168
You will have to copy them by hand
The files of interest in that directory will be key_${user}.pem and
cert_${user}.pem, which are the private key and certificate for the user
${user}. For each user you've created, give her the two files. When
finished, delete the directory nessus-mkcert-client left behind.
A couple of notes:
1) The private keys created by nessus-mkcert-client are *NOT* encrypted,
which means that any one who gets hold of the private key can masquerade
as the user, at least in terms of authenticating to Nessus. If you want
or your users want to protect keys, have the user do something like the
following:
openssl rsa -in key_${user}.pem -des3 -out new_${user}.pem && \
mv new_<user>.pem key_${user}.pem
and enter a good passphrase when requested. [If the user doesn't have a
shell account, you can do it for her, just let her enter the
passphrase.]
2) If the user intends to use NessusWX, have her run:
cp cert_${user}.pem cert_nessuswx_${user}.pem
cat key_${user}.pem >> cert_nessuswx_${user}.pem
and transfer that to her PC (in text mode) for import into NessusWX. If
you encrypt the private key first, then she will need to use the
passphrase when connecting with NessusWX.
3a) There will need to be a copy of the CA cert on every unix host that
wishes to connect to the server. For example, to ease maintenance, you
could put the file cacert.pem in /usr/local/com/nessus/CA.
3b) If the user intends to use the unix nessus client, have the user
install the two files in a directory such as ~/.nessus-certs. Make sure
that she owns those files and that she makes them inaccessible to
others. And have her add lines to her nessus config file(s) to point
ca_file, cert_file, and key_file to the CA certificate, her certificate,
and her private key respectively.
> - How should I be testing that nessus(d) is working with the certificate I
> create? (I assume I need to create a specific nessus user at some point?)
Yes, you'll need to add at least one user to test this. To test it, you
could use tcpdump from the client or server end to verify that packets
are indeed encrypted.
You might also want to play with generating an alternate server
certificate and seeing what happens when you try to connect from your
clients, although if you do this you'll want to create backups of the CA
and server keys and certs first or you'll have to regenerate all your
client keys and certs.
While I hope this helps, I'd be surprised if I haven't left out one
thing or muddled another so feel free to ask additional questions.
George
--
[EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
