If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.
You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.
ssh -p22 -i private_key user@server.corporation.com
But when scanning with Nessus, you get weird errors in the various plugin outputs:
- Target Credential Status by Authentication Protocol – Failure for Provided Credentials
- Nessus failed to load the SSH private key. Is the associated passphrase correct?
- Failed to parse the given key information.
- Unable to login to remote host with supplied credential sets.
E.g. 1: Plugin 104410 – Target Credential Status by Authentication Protocol – Failure for Provided Credentials
Nessus was unable to log into the following host for which credentials have been provided :
Protocol : SSH
Port : 22
Failure details :
- User : svc_nessus
- Plugin : ssh_rate_limiting.nasl
Plugin ID : 122501
Plugin Name : SSH Rate Limited Device
Message : Failed to parse the given key information.
- Plugin : ssh_rate_limiting.nasl
Plugin ID : 122501
Plugin Name : SSH Rate Limited Device
Message : Failed to parse ssh keys.
- Plugin : netstat_portscan.nasl
Plugin ID : 14272
Plugin Name : Netstat Portscanner (SSH)
Message : Nessus failed to load the SSH private key. Is the associated passphrase correct?
- Plugin : netstat_portscan.nasl
Plugin ID : 14272
Plugin Name : Netstat Portscanner (SSH)
Message : Failed to parse the given key information.
- Plugin : netstat_portscan.nasl
Plugin ID : 14272
Plugin Name : Netstat Portscanner (SSH)
Message : Failed to parse ssh keys.
- Plugin : ssh_check_compression.nasl
Plugin ID : 104411
Plugin Name : SSH Compression Error Checking
Message : Failed to parse the given key information.
- Plugin : ssh_check_compression.nasl
Plugin ID : 104411
Plugin Name : SSH Compression Error Checking
Message : Failed to parse ssh keys.
- Plugin : ssh_get_info2.nasl
Plugin ID : 97993
Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
Message : Failed to parse the given key information.
- Plugin : ssh_get_info2.nasl
Plugin ID : 97993
Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
Message : Failed to parse ssh keys.
- Plugin : ssh_get_info.nasl
Plugin ID : 12634
Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
Message : Nessus failed to load the SSH private key. Is the associated passphrase correct?
less...
E.g. 2: Plugin 117886 – OS Security Patch Assessment Failed
The following service errors were logged :
- Plugin : ssh_get_info2.nasl
Plugin ID : 97993
Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
Protocol : SSH
Message : Unable to login to remote host with supplied credential sets.
Errors:
- No supplied credential sets succeeded on any of the ssh ports
- Plugin : ssh_get_info.nasl
Plugin ID : 12634
Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
Protocol : SSH
Message : Nessus failed to load the SSH private key. Is the associated passphrase correct?
Look at the private key that you attach to the Nessus scan policy.
If it starts with “—– BEGIN OPENSSH PRIVATE KEY —–“, then the reason is clear
“The authentication issue can be caused by using ssh-keygen OpenSSH version 7.8+. The default format for RSA\DSA key pairs is OPENSSH, as opposed to the previously used .pem format. Nessus does not currently support RSA\DSA key pairs in OPENSSH format. Nessus will not be able to parse the key. To check if the key is in OPENSSH format, cat the file in the CLI, or open the file in a text editor”.
So, how can you fix this?
Convert your private SSH key to PEM format using ssh-keygen tool:
ssh-keygen -p -m PEM -f /path/to/private_key
And attach the new key to the Nessus scan policy.
It is surprising of course that Nessus cannot recognize the key format and convert it automatically, but shows some strange errors instead. But this is the reality.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Thank you!!
This solved my issue.
Great post! Your wisdom and positivity are contagious. 😊