Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Linux Operating System Public Key Authentication

 

To scan Linux operating systems by using secure public key authentication, you must configure your JSA console or managed host and the asset that you want to scan. When authentication is configured you can do authenticated scanning by specifying a Linux operating system user name, and not specifying a password. JSA supports both rsa and dsa for SSH key generation.

You must install a public and private key on a QVM scanner, and install the public key on the scan target.

A QVM scanner is automatically installed on a QVM processor host, and might also be installed on other managed hosts.

The user account on the scan target must have a login shell and must be capable of running the commands that are required for a patch scan on the target. For more information, see Enabling Permissions for Linux or UNIX Patch Scans.

This procedure describes how to configure a single public/private key pair and transfer them to a QVM scanner and scan target.

  1. Using SSH, log in to the JSA QVM console as the root user.
  2. Generate a public key pair by typing the following command:

    su -m -c 'ssh-keygen -t-dsa <key_type>' qvmuser

    Note

    <key_type> is either dsa or rsa.

  3. Accept the default file by pressing Enter.
  4. Accept the default passphrase for the public key by pressing Enter.
  5. Press Enter again to confirm.
  6. Copy the public and private keys to all managed hosts on which a QVM scanner is installed.

    cd /home/qvmuser/ .ssh

    rsync -ogp id_<key_type> id_<key_type>.pub <IP address>;/home/qvmuser/.ssh

    • Replace <key_type> with dsa or rsa.

    • Replace <IP address> with the IP address of the scanner and enter the root password when prompted.

    Note

    The QVM processor includes a scanner. If the processor is not running on the JSA console, you must also transfer the keys to the QVM processor.

  7. Copy the public key to the scan target by typing the following command:

    ssh-copy-id -i /home/qvmuser/.ssh/id_dsa.pub root@<IP address>

    ssh-copy-id -I id_<key_type>.pub<user>@<IP address>

    • <key_type> - dsa or rsa.

    • <IP address> - the IP address of the scan target.

    • <user> - the user on the scan target.

  8. Type the user password for the scan target.
  9. Check that the qvmuser account on the QVM scanner can SSH to the scan target without a password by typing the following command:

    su -m -c 'ssh -o StrictHostKeyChecking=no root-<user>@IP address-<IP address> ls' qvmuser

    • <IP address> - the IP address of the scan target.

    • <user> - the user on the scan target.

    A list of the files in the user's home directory on the scan target is displayed.

Create a scan profile in JSA Vulnerability Manager with user name of the user on the scan target without specifying a password and run a patch scan.