How to fix “Nessus failed to load the SSH private key” error?

If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.

You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.

ssh -p22 -i private_key user@server.corporation.com

But when scanning with Nessus, you get weird errors in the various plugin outputs:

  • Target Credential Status by Authentication Protocol – Failure for Provided Credentials
  • Nessus failed to load the SSH private key. Is the associated passphrase correct?
  • Failed to parse the given key information.
  • Unable to login to remote host with supplied credential sets.

E.g. 1: Plugin 104410 – Target Credential Status by Authentication Protocol – Failure for Provided Credentials

Nessus was unable to log into the following host for which credentials have been provided :
  Protocol        : SSH
  Port            : 22
  Failure details :
  - User : svc_nessus
    - Plugin      : ssh_rate_limiting.nasl
      Plugin ID   : 122501
      Plugin Name : SSH Rate Limited Device
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_rate_limiting.nasl
      Plugin ID   : 122501
      Plugin Name : SSH Rate Limited Device
      Message     : Failed to parse ssh keys.
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Failed to parse the given key information.
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_check_compression.nasl
      Plugin ID   : 104411
      Plugin Name : SSH Compression Error Checking
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_check_compression.nasl
      Plugin ID   : 104411
      Plugin Name : SSH Compression Error Checking
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_get_info2.nasl
      Plugin ID   : 97993
      Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_get_info2.nasl
      Plugin ID   : 97993
      Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_get_info.nasl
      Plugin ID   : 12634
      Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
      Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?
less...

E.g. 2: Plugin 117886 – OS Security Patch Assessment Failed

The following service errors were logged :
  - Plugin      : ssh_get_info2.nasl
    Plugin ID   : 97993
    Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
    Protocol    : SSH
    Message     : Unable to login to remote host with supplied credential sets.
Errors:
  - No supplied credential sets succeeded on any of the ssh ports
  - Plugin      : ssh_get_info.nasl
    Plugin ID   : 12634
    Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
    Protocol    : SSH
    Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?

Look at the private key that you attach to the Nessus scan policy.

If it starts with “—– BEGIN OPENSSH PRIVATE KEY —–“, then the reason is clear

The authentication issue can be caused by using ssh-keygen OpenSSH version 7.8+. The default format for RSA\DSA key pairs is OPENSSH, as opposed to the previously used .pem format. Nessus does not currently support RSA\DSA key pairs in OPENSSH format. Nessus will not be able to parse the key. To check if the key is in OPENSSH format, cat the file in the CLI, or open the file in a text editor”.

So, how can you fix this?

Convert your private SSH key to PEM format using ssh-keygen tool:

ssh-keygen -p -m PEM -f /path/to/private_key

And attach the new key to the Nessus scan policy.

It is surprising of course that Nessus cannot recognize the key format and convert it automatically, but shows some strange errors instead. But this is the reality.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.