Mailing List Archive: Nessus: users

Local Security Checks for OSX 10.4 and 10.5 broken

Index | Next | Previous | View Threaded

backvan at mac

Nov 5, 2008, 3:07 PM

Post #1 of 3 (890 views)
Permalink

Local Security Checks for OSX 10.4 and 10.5 broken

I am supporting a sysadmin with 70 OSX workstations and servers. I
have installed Nessus 3.2.1 client and server on the admin host. I
can reliability perform a Local Security Check on some OSX boxes and
not others.. They are all either Tiger (10.4.11) or Leopard
(10..5.5). I have tried both SSH username/passwords and public/
private keys authentication with identical results. In addition, I
can always connect with "ssh" directly with either username/password
and Pub/private keys.

Even though my "ssh/sshd" is current (OpenSSH 5.1), possibly Nessus
itself is using it's own "ssh" client internal to Nessus itself.
Maybe there is a problem there.

I think I have followed the "Nessus Credential Checks for Unix and
Windows" exactly. But obviously something is wrong. I'm open to any
ideas.

Thanks

Ron
backvan [at] mac
------------------------------------------------------------------------
------------------------------------------------------------------------
----------

Here's a dump of the failed login from /var/log/secure.log using PKI

Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: reverse mapping checking
getaddrinfo for host.company.netl [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: Accepted publickey for
zeus from 172.17.119.27 port 61466 ssh2
Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 11:01:41 clusterg4-350-5 sshd[2958]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2959]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:41 clusterg4-350-5 sshd[2960]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2961]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:42 clusterg4-350-5 sshd[2962]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:43 clusterg4-350-5 sshd[2963]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2964]: Did not receive
identification string from 172.17.119.27
Nov 5 11:01:44 clusterg4-350-5 sshd[2965]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:14 clusterg4-350-5 sshd[2969]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:34 clusterg4-350-5 sshd[2976]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2978]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:34 clusterg4-350-5 sshd[2980]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:02:44 clusterg4-350-5 sshd[2975]: Did not receive
identification string from 172.17.119.27
Nov 5 11:02:45 clusterg4-350-5 sshd[2995]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2996]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 11:02:45 clusterg4-350-5 sshd[2997]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 11:03:14 clusterg4-350-5 sshd[3001]: Did not receive
identification string from 172.17.119.27
Nov 5 11:03:14 clusterg4-350-5 sshd[3002]: Did not receive
identification string from 172.17.119.27
------------------------------------------------------------------------
------------------------------------------------------------------------
----------
Here's a dump from from a successful pki login

Nov 5 10:57:30 Schillingmac sshd[7092]: Accepted publickey for scan
from 172.17.119.27 port 61362 ssh2
Nov 5 10:57:30 Schillingmac sshd[7092]: error: BSM audit:
bsm_audit_session_setup: setaudit_addr failed: Function not implemented
Nov 5 10:57:35 Schillingmac sshd[7096]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7099]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-NessusSSH_1.0
Nov 5 10:57:35 Schillingmac sshd[7100]: Protocol major versions
differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-NessusSSH_1.0
Nov 5 10:57:36 Schillingmac sshd[7097]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac sshd[7103]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.
Nov 5 10:57:37 Schillingmac sshd[7097]: Failed password for root
from 172.17.119.27 port 61368 ssh2
Nov 5 10:57:37 Schillingmac sshd[7107]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: reverse mapping checking
getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 5 10:57:37 Schillingmac sshd[7108]: Invalid user from
172.17.119.27
Nov 5 10:57:37 Schillingmac sshd[7108]: Failed none for invalid
user from 172.17.119.27 port 61378 ssh2
Nov 5 10:57:37 Schillingmac sshd[7095]: Did not receive
identification string from 172.17.119.27
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: authinternal
failed to authenticate user root.
Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: Failed to
authorize right system.login.tty by process /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.

deraison-lists at nessus

Nov 6, 2008, 2:50 AM

Post #2 of 3 (834 views)
Permalink

Re: Local Security Checks for OSX 10.4 and 10.5 broken [In reply to]

Hi Ron,

We can not reproduce your problem here (tested against 10.5.5 with
both password authentication and public key authentication).

Are you doing a key authentication or a password-based one? If it's a
public key authentication, i'd be interested in seeing the format of
the public key you're using (you can send it to me privately)

Thanks,

-- Renaud

On Nov 6, 2008, at 12:07 AM, Ron wrote:

> I am supporting a sysadmin with 70 OSX workstations and servers. I
> have installed Nessus 3.2.1 client and server on the admin host. I
> can reliability perform a Local Security Check on some OSX boxes and
> not others.. They are all either Tiger (10.4.11) or Leopard
> (10..5.5). I have tried both SSH username/passwords and public/
> private keys authentication with identical results. In addition, I
> can always connect with "ssh" directly with either username/password
> and Pub/private keys.
>
> Even though my "ssh/sshd" is current (OpenSSH 5.1), possibly Nessus
> itself is using it's own "ssh" client internal to Nessus itself.
> Maybe there is a problem there.
>
> I think I have followed the "Nessus Credential Checks for Unix and
> Windows" exactly. But obviously something is wrong. I'm open to
> any ideas.
>
> Thanks
>
> Ron
> backvan [at] mac
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Here's a dump of the failed login from /var/log/secure.log using PKI
>
> Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: reverse mapping checking
> getaddrinfo for host.company.netl [172.17.119.27] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: Accepted publickey for
> zeus from 172.17.119.27 port 61466 ssh2
> Nov 5 10:57:47 clusterg4-350-5 sshd[2952]: error: BSM audit:
> bsm_audit_session_setup: setaudit_addr failed: Function not
> implemented
> Nov 5 11:01:41 clusterg4-350-5 sshd[2958]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:41 clusterg4-350-5 sshd[2959]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:41 clusterg4-350-5 sshd[2960]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:42 clusterg4-350-5 sshd[2961]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:42 clusterg4-350-5 sshd[2962]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:43 clusterg4-350-5 sshd[2963]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:44 clusterg4-350-5 sshd[2964]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:01:44 clusterg4-350-5 sshd[2965]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:02:14 clusterg4-350-5 sshd[2969]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:02:34 clusterg4-350-5 sshd[2976]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-
> NessusSSH_1.0
> Nov 5 11:02:34 clusterg4-350-5 sshd[2978]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-
> NessusSSH_1.0
> Nov 5 11:02:34 clusterg4-350-5 sshd[2980]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-
> NessusSSH_1.0
> Nov 5 11:02:44 clusterg4-350-5 sshd[2975]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:02:45 clusterg4-350-5 sshd[2995]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-
> NessusSSH_1.0
> Nov 5 11:02:45 clusterg4-350-5 sshd[2996]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-
> NessusSSH_1.0
> Nov 5 11:02:45 clusterg4-350-5 sshd[2997]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-
> NessusSSH_1.0
> Nov 5 11:03:14 clusterg4-350-5 sshd[3001]: Did not receive
> identification string from 172.17.119.27
> Nov 5 11:03:14 clusterg4-350-5 sshd[3002]: Did not receive
> identification string from 172.17.119.27
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
> Here's a dump from from a successful pki login
>
> Nov 5 10:57:30 Schillingmac sshd[7092]: Accepted publickey for scan
> from 172.17.119.27 port 61362 ssh2
> Nov 5 10:57:30 Schillingmac sshd[7092]: error: BSM audit:
> bsm_audit_session_setup: setaudit_addr failed: Function not
> implemented
> Nov 5 10:57:35 Schillingmac sshd[7096]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-9.9-
> NessusSSH_1.0
> Nov 5 10:57:35 Schillingmac sshd[7099]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.33-
> NessusSSH_1.0
> Nov 5 10:57:35 Schillingmac sshd[7100]: Protocol major versions
> differ for 172.17.119.27: SSH-2.0-OpenSSH_5.1 vs. SSH-1.5-
> NessusSSH_1.0
> Nov 5 10:57:36 Schillingmac sshd[7097]: reverse mapping checking
> getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 5 10:57:36 Schillingmac sshd[7103]: reverse mapping checking
> getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: authinternal
> failed to authenticate user root.
> Nov 5 10:57:36 Schillingmac com.apple.SecurityServer: Failed to
> authorize right system.login.tty by process /usr/sbin/sshd for
> authorization created by /usr/sbin/sshd.
> Nov 5 10:57:37 Schillingmac sshd[7097]: Failed password for root
> from 172.17.119.27 port 61368 ssh2
> Nov 5 10:57:37 Schillingmac sshd[7107]: reverse mapping checking
> getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 5 10:57:37 Schillingmac sshd[7108]: reverse mapping checking
> getaddrinfo for host.company.net [172.17.119.27] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 5 10:57:37 Schillingmac sshd[7108]: Invalid user from
> 172.17.119.27
> Nov 5 10:57:37 Schillingmac sshd[7108]: Failed none for invalid
> user from 172.17.119.27 port 61378 ssh2
> Nov 5 10:57:37 Schillingmac sshd[7095]: Did not receive
> identification string from 172.17.119.27
> Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: authinternal
> failed to authenticate user root.
> Nov 5 10:57:37 Schillingmac com.apple.SecurityServer: Failed to
> authorize right system.login.tty by process /usr/sbin/sshd for
> authorization created by /usr/sbin/sshd.
>
> _______________________________________________
> Nessus mailing list
> Nessus [at] list
> http://mail.nessus.org/mailman/listinfo/nessus

backvan at mac

Nov 10, 2008, 9:27 PM

Post #3 of 3 (825 views)
Permalink

RE: Local Security Checks for OSX 10.4 and 10.5 broken [In reply to]

Renaud,

Problem solved but still a mystery! Both key authentication or a
password-based now work just fine. The Key authentication was a
normal one made with "ssh-keygen -t dsa" I then dropped the ".pub
key on the target machine in the scan accounts .ssh directory. AT
first that didn't work any better than username/password. On these
some 70 odd OSX boxes, he is using OpenLDAP services for all the home
directories. Once again I could always "ssh" in every time. I
examined the original secure.log files and noticed that successful
Nessus credential logins occurred when the network DNS server
properly resolved both forward and reverse lookups for the host IP.
The hosts that failed had the reverse DNS lookup broken. It was a
simple misconfiguration on the DNS server. When corrected, I could
Nessus login on every host.

I seem to have fixed the problem but don't know why. I have no other
users using OpenLDAP to host user accounts. A cool thing about this
is I have only one OSX account for scanning with the oublic key in
it's .ssh directory,, not ONE per host. Otherwise, I would have to
push that public key to each of 70 hosts. But the DNS reverse lookup
business confuses me.

Ideas?

Ron

------------------------------------------------------------------------
----------------------------------------------

Hi Ron,

We can not reproduce your problem here (tested against 10.5.5 with
both password authentication and public key authentication).

Are you doing a key authentication or a password-based one? If it's a
public key authentication, i'd be interested in seeing the format of
the public key you're using (you can send it to me privately)

Thanks,

-- Renaud

On Nov 6, 2008, at 12:07 AM, Ron wrote:

> I am supporting a sysadmin with 70 OSX workstations and servers. I
> have installed Nessus 3.2.1 client and server on the admin host. I
> can reliability perform a Local Security Check on some OSX boxes and
> not others.. They are all either Tiger (10.4.11) or Leopard
> (10..5.5). I have tried both SSH username/passwords and public/
> private keys authentication with identical results. In addition, I
> can always connect with "ssh" directly with either username/password
> and Pub/private keys.
>
> Even though my "ssh/sshd" is current (OpenSSH 5.1), possibly Nessus
> itself is using it's own "ssh" client internal to Nessus itself.
> Maybe there is a problem there.
>
> I think I have followed the "Nessus Credential Checks for Unix and
> Windows" exactly. But obviously something is wrong. I'm open to
> any ideas.
>
> Thanks
>
> Ron
> backvan at mac.com

_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads