Mailing List Archive: Nessus user authentication

Nessus user authentication

Sep 13, 2002, 3:35 AM

Post #1 of 8 (1894 views)

Silly question - the nessus user authentication seems a bit last minute
to me, is this deliberate, or is it planned this way...

My issue is that I have a server which runs nessusd and has several
people connecting through via the various nessus clients, of course I'd
like to password these (allow flexibility etc)... nessus-adduser allows
me to assign a password but not change it -- or allow the users to
change their own passwords.

Is there a reason why nessus users are designed like this?

I have patched a test version of nessusd on my system to use PAM to
authenticate with the OS passwords (and will continue to do a cron like
allow-deny list) should I release this for the Nessus source?

thanks

dave

Nessus user authentication [ In reply to ]

dave at cirt

Sep 13, 2002, 3:38 AM

Post #2 of 8 (1866 views)

Permalink

Re: Nessus user authentication [ In reply to ]

arboi at noos

Sep 13, 2002, 3:49 AM

Post #3 of 8 (1869 views)

Permalink

"David Lodge" <dave@cirt.net> writes:

> nessus-adduser allows me to assign a password but not change it --
> or allow the users to change their own passwords.

> Is there a reason why nessus users are designed like this?

No
We could easily write a nessus-passwd command from nessus-adduser.

Re: Nessus user authentication [ In reply to ]

dave at cirt

Sep 13, 2002, 4:22 AM

Post #4 of 8 (1865 views)

Permalink

> > Is there a reason why nessus users are designed like this?
> No
> We could easily write a nessus-passwd command from nessus-adduser.

That's no problem -- and I could probably could one quite quickly
(after all its only md5 hashes and its written in shell)...

But, on the other side; would it be an idea to allow OS (ie PAM)
authentication as a user option?

dave

Re: Nessus user authentication [ In reply to ]

dave at cirt

Sep 13, 2002, 4:34 AM

Post #5 of 8 (1870 views)

Permalink

RE: Nessus user authentication [ In reply to ]

victor at opticom

Sep 13, 2002, 4:45 AM

Post #6 of 8 (1879 views)

Permalink

> > > Is there a reason why nessus users are designed like this?
> > No
> > We could easily write a nessus-passwd command from nessus-adduser.
>
> That's no problem -- and I could probably could one quite quickly
> (after all its only md5 hashes and its written in shell)...
>
> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

I think that PAM authentication is a good idea - it will allow use not only
OS accounts, but also centralized account management via LDAP, etc.

Best regards,
Victor

Re: Nessus user authentication [ In reply to ]

deraison at nessus

Sep 13, 2002, 7:57 AM

Post #7 of 8 (1865 views)

Permalink

On Fri, Sep 13, 2002 at 07:22:24AM -0400, David Lodge wrote:
> > > Is there a reason why nessus users are designed like this?
> > No
> > We could easily write a nessus-passwd command from nessus-adduser.
>
> That's no problem -- and I could probably could one quite quickly
> (after all its only md5 hashes and its written in shell)...
>
> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

I don't really like it. The reason is that this way, anyone with a shell
will get the right to scan with Nessus.

What we could do though, would be to change nessus-adduser to allow the
use of pam as a method of authentication. This way, users _have_ to be
explicitely added, but password management is easy.

-- Renaud

Re: Nessus user authentication [ In reply to ]

arboi at noos

Nov 12, 2002, 3:33 AM

Post #8 of 8 (1872 views)

Permalink

"David Lodge" <dave@cirt.net> writes:

> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

This would mean that any user has the right to scan machines on the
network. Or we would need a specific PAM module, which would look into
Nessus database. Not great.