Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: devel

Nessus user authentication

 

 

Nessus devel RSS feed   Index | Next | Previous | View Threaded


dave at cirt

Sep 13, 2002, 3:35 AM

Post #1 of 8 (303 views)
Permalink
Nessus user authentication

Silly question - the nessus user authentication seems a bit last minute
to me, is this deliberate, or is it planned this way...

My issue is that I have a server which runs nessusd and has several
people connecting through via the various nessus clients, of course I'd
like to password these (allow flexibility etc)... nessus-adduser allows
me to assign a password but not change it -- or allow the users to
change their own passwords.

Is there a reason why nessus users are designed like this?

I have patched a test version of nessusd on my system to use PAM to
authenticate with the OS passwords (and will continue to do a cron like
allow-deny list) should I release this for the Nessus source?

thanks

dave


dave at cirt

Sep 13, 2002, 3:38 AM

Post #2 of 8 (296 views)
Permalink
Nessus user authentication [In reply to]

Silly question - the nessus user authentication seems a bit last minute
to me, is this deliberate, or is it planned this way...

My issue is that I have a server which runs nessusd and has several
people connecting through via the various nessus clients, of course I'd
like to password these (allow flexibility etc)... nessus-adduser allows
me to assign a password but not change it -- or allow the users to
change their own passwords.

Is there a reason why nessus users are designed like this?

I have patched a test version of nessusd on my system to use PAM to
authenticate with the OS passwords (and will continue to do a cron like
allow-deny list) should I release this for the Nessus source?

thanks

dave


arboi at noos

Sep 13, 2002, 3:49 AM

Post #3 of 8 (296 views)
Permalink
Re: Nessus user authentication [In reply to]

"David Lodge" <dave [at] cirt> writes:

> nessus-adduser allows me to assign a password but not change it --
> or allow the users to change their own passwords.

> Is there a reason why nessus users are designed like this?

No
We could easily write a nessus-passwd command from nessus-adduser.


dave at cirt

Sep 13, 2002, 4:22 AM

Post #4 of 8 (298 views)
Permalink
Re: Nessus user authentication [In reply to]

> > Is there a reason why nessus users are designed like this?
> No
> We could easily write a nessus-passwd command from nessus-adduser.

That's no problem -- and I could probably could one quite quickly
(after all its only md5 hashes and its written in shell)...

But, on the other side; would it be an idea to allow OS (ie PAM)
authentication as a user option?

dave


dave at cirt

Sep 13, 2002, 4:34 AM

Post #5 of 8 (297 views)
Permalink
Re: Nessus user authentication [In reply to]

> > Is there a reason why nessus users are designed like this?
> No
> We could easily write a nessus-passwd command from nessus-adduser.

That's no problem -- and I could probably could one quite quickly
(after all its only md5 hashes and its written in shell)...

But, on the other side; would it be an idea to allow OS (ie PAM)
authentication as a user option?

dave


victor at opticom

Sep 13, 2002, 4:45 AM

Post #6 of 8 (296 views)
Permalink
RE: Nessus user authentication [In reply to]

> > > Is there a reason why nessus users are designed like this?
> > No
> > We could easily write a nessus-passwd command from nessus-adduser.
>
> That's no problem -- and I could probably could one quite quickly
> (after all its only md5 hashes and its written in shell)...
>
> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

I think that PAM authentication is a good idea - it will allow use not only
OS accounts, but also centralized account management via LDAP, etc.

Best regards,
Victor


deraison at nessus

Sep 13, 2002, 7:57 AM

Post #7 of 8 (295 views)
Permalink
Re: Nessus user authentication [In reply to]

On Fri, Sep 13, 2002 at 07:22:24AM -0400, David Lodge wrote:
> > > Is there a reason why nessus users are designed like this?
> > No
> > We could easily write a nessus-passwd command from nessus-adduser.
>
> That's no problem -- and I could probably could one quite quickly
> (after all its only md5 hashes and its written in shell)...
>
> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

I don't really like it. The reason is that this way, anyone with a shell
will get the right to scan with Nessus.

What we could do though, would be to change nessus-adduser to allow the
use of pam as a method of authentication. This way, users _have_ to be
explicitely added, but password management is easy.


-- Renaud


arboi at noos

Nov 12, 2002, 3:33 AM

Post #8 of 8 (297 views)
Permalink
Re: Nessus user authentication [In reply to]

"David Lodge" <dave [at] cirt> writes:

> But, on the other side; would it be an idea to allow OS (ie PAM)
> authentication as a user option?

This would mean that any user has the right to scan machines on the
network. Or we would need a specific PAM module, which would look into
Nessus database. Not great.

Nessus devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.