I am supporting a sysadmin with 70 OSX workstations and servers. I
have installed Nessus 3.2.1 client and server on the admin host. I
can reliability perform a Local Security Check on some OSX boxes and
not others.. They are all either Tiger (10.4.11) or Leopard
(10..5.5). I have tried both SSH username/passwords and public/
private keys authentication with identical results. In addition, I
can always connect with "ssh" directly with either username/password
and Pub/private keys.
Even though my "ssh/sshd" is current (OpenSSH 5.1), possibly Nessus
itself is using it's own "ssh" client internal to Nessus itself.
Maybe there is a problem there.
I think I have followed the "Nessus Credential Checks for Unix and
Windows" exactly. But obviously something is wrong. I'm open to any
ideas.
Thanks
Ron
backvan@mac.com
------------------------------------------------------------------------
------------------------------------------------------------------------
----------
Here's a dump of the failed login from /var/log/secure.log using PKI
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: reverse mapping checking
getaddrinfo for host.company.netl [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: Accepted publickey for
zeus from 172.17.119.27 port 61466 ssh2
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 11:01:41 clusterg4-350-5 sshd[2958]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2959]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2960]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2961]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2962]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:43 clusterg4-350-5 sshd[2963]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2964]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2965]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:14 clusterg4-350-5 sshd[2969]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:34 clusterg4-350-5 sshd[2976]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2978]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2980]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:02:44 clusterg4-350-5 sshd[2975]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:45 clusterg4-350-5 sshd[2995]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2996]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2997]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:03:14 clusterg4-350-5 sshd[3001]: Did not receive
identification string from 172.17.119.27
Nov 5 11:03:14 clusterg4-350-5 sshd[3002]: Did not receive
identification string from 172.17.119.27
------------------------------------------------------------------------
------------------------------------------------------------------------
----------
Here's a dump from from a successful pki login
Nov 5 10:57:30 Schillingmac sshd[7092]: Accepted publickey for scan
from 172.17.119.27 port 61362 ssh2
Nov 5 10:57:30 Schillingmac sshd[7092]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 10:57:35 Schillingmac sshd[7096]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7099]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7100]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 10:57:36 Schillingmac sshd[7097]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac sshd[7103]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.
Nov 5 10:57:37 Schillingmac sshd[7097]: Failed password for root
from 172.17.119.27 port 61368 ssh2
Nov 5 10:57:37 Schillingmac sshd[7107]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: Invalid user from
172.17.119.27
Nov 5 10:57:37 Schillingmac sshd[7108]: Failed none for invalid
user from 172.17.119.27 port 61378 ssh2
Nov 5 10:57:37 Schillingmac sshd[7095]: Did not receive
identification string from 172.17.119.27
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.
have installed Nessus 3.2.1 client and server on the admin host. I
can reliability perform a Local Security Check on some OSX boxes and
not others.. They are all either Tiger (10.4.11) or Leopard
(10..5.5). I have tried both SSH username/passwords and public/
private keys authentication with identical results. In addition, I
can always connect with "ssh" directly with either username/password
and Pub/private keys.
Even though my "ssh/sshd" is current (OpenSSH 5.1), possibly Nessus
itself is using it's own "ssh" client internal to Nessus itself.
Maybe there is a problem there.
I think I have followed the "Nessus Credential Checks for Unix and
Windows" exactly. But obviously something is wrong. I'm open to any
ideas.
Thanks
Ron
backvan@mac.com
------------------------------------------------------------------------
------------------------------------------------------------------------
----------
Here's a dump of the failed login from /var/log/secure.log using PKI
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: reverse mapping checking
getaddrinfo for host.company.netl [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: Accepted publickey for
zeus from 172.17.119.27 port 61466 ssh2
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 11:01:41 clusterg4-350-5 sshd[2958]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2959]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2960]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2961]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2962]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:43 clusterg4-350-5 sshd[2963]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2964]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2965]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:14 clusterg4-350-5 sshd[2969]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:34 clusterg4-350-5 sshd[2976]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2978]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2980]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:02:44 clusterg4-350-5 sshd[2975]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:45 clusterg4-350-5 sshd[2995]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2996]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2997]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:03:14 clusterg4-350-5 sshd[3001]: Did not receive
identification string from 172.17.119.27
Nov 5 11:03:14 clusterg4-350-5 sshd[3002]: Did not receive
identification string from 172.17.119.27
------------------------------------------------------------------------
------------------------------------------------------------------------
----------
Here's a dump from from a successful pki login
Nov 5 10:57:30 Schillingmac sshd[7092]: Accepted publickey for scan
from 172.17.119.27 port 61362 ssh2
Nov 5 10:57:30 Schillingmac sshd[7092]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 10:57:35 Schillingmac sshd[7096]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7099]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7100]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 10:57:36 Schillingmac sshd[7097]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac sshd[7103]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.
Nov 5 10:57:37 Schillingmac sshd[7097]: Failed password for root
from 172.17.119.27 port 61368 ssh2
Nov 5 10:57:37 Schillingmac sshd[7107]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: Invalid user from
172.17.119.27
Nov 5 10:57:37 Schillingmac sshd[7108]: Failed none for invalid
user from 172.17.119.27 port 61378 ssh2
Nov 5 10:57:37 Schillingmac sshd[7095]: Did not receive
identification string from 172.17.119.27
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.