-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On Mon, Dec 15, 2003 at 03:33:58PM +0000, Mark Watts wrote:
> > - I have nessusd installed - Mandrake's packages appear to have already
> > created a server certificate; how can I verify this?
>
> I'm not familiar with Mandrake so here's what I would do:
>
> As root, run the following command: "nessusd -s". This causes nessusd
> to read its config file and display settings in effect. First, look for
> the variable ssl_version, which may or may not exist. If it does, it
> should not be "none". Then, make sure the following three variables are
> set and point to files that exist on your host: cert_file, key_file, and
> ca_file. These refer respectively to the server's certificate and
> private key as well as the certificate authority (CA)'s certificate.
>
> You should probably also think about whether you want to require all
> users to authenticate with a certificate. If you do, then set
> force_pubkey_auth to yes in nessusd.conf and restart your daemon.
>
> > - I want to create a certificate for a client - nessus-mkcert-client is
> > apparently the tool for this; what do I do with the certificate once it's
> > generated, and should I be generating this on the client box or the
> > server box?
>
> There's some potential for confusion here -- both nessus-adduser and
> nessus-mkcert-client are capable of creating certificates, although the
> certificates created by the former are slightly wrong -- and some
> potential pitfalls too. I'd recommend using nessus-mkcert-client to add
> users and generate their certs.
>
> You'll need to run nessus-mkcert-client as root on the host running the
> server. The script will prompt you for various information used to
> create certificates -- first default answers and then answers for each
> user. When finished, the script will report something like:
>
> Your client certificates are in /tmp/nessus-mkcert.19168
> You will have to copy them by hand
>
> The files of interest in that directory will be key_${user}.pem and
> cert_${user}.pem, which are the private key and certificate for the user
> ${user}. For each user you've created, give her the two files. When
> finished, delete the directory nessus-mkcert-client left behind.
> A couple of notes:
>
> 1) The private keys created by nessus-mkcert-client are *NOT* encrypted,
> which means that any one who gets hold of the private key can masquerade
> as the user, at least in terms of authenticating to Nessus. If you want
> or your users want to protect keys, have the user do something like the
> following:
>
> openssl rsa -in key_${user}.pem -des3 -out new_${user}.pem && \
> mv new_<user>.pem key_${user}.pem
>
> and enter a good passphrase when requested. [If the user doesn't have a
> shell account, you can do it for her, just let her enter the
> passphrase.]
>
> 2) If the user intends to use NessusWX, have her run:
>
> cp cert_${user}.pem cert_nessuswx_${user}.pem
> cat key_${user}.pem >> cert_nessuswx_${user}.pem
>
> and transfer that to her PC (in text mode) for import into NessusWX. If
> you encrypt the private key first, then she will need to use the
> passphrase when connecting with NessusWX.
>
> 3a) There will need to be a copy of the CA cert on every unix host that
> wishes to connect to the server. For example, to ease maintenance, you
> could put the file cacert.pem in /usr/local/com/nessus/CA.
>
> 3b) If the user intends to use the unix nessus client, have the user
> install the two files in a directory such as ~/.nessus-certs. Make sure
> that she owns those files and that she makes them inaccessible to
> others. And have her add lines to her nessus config file(s) to point
> ca_file, cert_file, and key_file to the CA certificate, her certificate,
> and her private key respectively.
>
> > - How should I be testing that nessus(d) is working with the certificate
> > I create? (I assume I need to create a specific nessus user at some
> > point?)
>
> Yes, you'll need to add at least one user to test this. To test it, you
> could use tcpdump from the client or server end to verify that packets
> are indeed encrypted.
>
> You might also want to play with generating an alternate server
> certificate and seeing what happens when you try to connect from your
> clients, although if you do this you'll want to create backups of the CA
> and server keys and certs first or you'll have to regenerate all your
> client keys and certs.
>
> While I hope this helps, I'd be surprised if I haven't left out one
> thing or muddled another so feel free to ask additional questions.
>
>
> George
This is really useful stuff - thanks for going through it...
Any chance you can give me a hint as to what answers to give when using
nessus-mkcert-client ? The first question is asking for a 'nessus server
"private" directory' - is this /etc/nessus ?
Cheers,
Mark.
- --
Mark Watts
Senior Systems Engineer
QinetiQ TIM
St Andrews Road, Malvern
GPG Public Key ID: 455420ED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/3xqvBn4EFUVUIO0RAjy+AJ9V+lAu6Ct5mpoEobF8B1a4hXHX4QCaA3Q+
SdR9MxdUhsHnqMXs8MHC6yE=
=FkIa
-----END PGP SIGNATURE-----
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
