133

How to fix “Nessus failed to load the SSH private key” error?

 3 years ago
source link: https://avleonov.com/2021/07/31/how-to-fix-nessus-failed-to-load-the-ssh-private-key-error/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

How to fix “Nessus failed to load the SSH private key” error?

If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.

You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.

ssh -p22 -i private_key [email protected]

But when scanning with Nessus, you get weird errors in the various plugin outputs:

  • Target Credential Status by Authentication Protocol – Failure for Provided Credentials
  • Nessus failed to load the SSH private key. Is the associated passphrase correct?
  • Failed to parse the given key information.
  • Unable to login to remote host with supplied credential sets.

E.g. 1: Plugin 104410 – Target Credential Status by Authentication Protocol – Failure for Provided Credentials

Nessus was unable to log into the following host for which credentials have been provided :
  Protocol        : SSH
  Port            : 22
  Failure details :
  - User : svc_nessus
    - Plugin      : ssh_rate_limiting.nasl
      Plugin ID   : 122501
      Plugin Name : SSH Rate Limited Device
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_rate_limiting.nasl
      Plugin ID   : 122501
      Plugin Name : SSH Rate Limited Device
      Message     : Failed to parse ssh keys.
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Failed to parse the given key information.
    - Plugin      : netstat_portscan.nasl
      Plugin ID   : 14272
      Plugin Name : Netstat Portscanner (SSH)
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_check_compression.nasl
      Plugin ID   : 104411
      Plugin Name : SSH Compression Error Checking
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_check_compression.nasl
      Plugin ID   : 104411
      Plugin Name : SSH Compression Error Checking
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_get_info2.nasl
      Plugin ID   : 97993
      Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
      Message     : Failed to parse the given key information.
    - Plugin      : ssh_get_info2.nasl
      Plugin ID   : 97993
      Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
      Message     : Failed to parse ssh keys.
    - Plugin      : ssh_get_info.nasl
      Plugin ID   : 12634
      Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
      Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?
less...

E.g. 2: Plugin 117886 – OS Security Patch Assessment Failed

The following service errors were logged :
  - Plugin      : ssh_get_info2.nasl
    Plugin ID   : 97993
    Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
    Protocol    : SSH
    Message     : Unable to login to remote host with supplied credential sets.
Errors:
  - No supplied credential sets succeeded on any of the ssh ports
  - Plugin      : ssh_get_info.nasl
    Plugin ID   : 12634
    Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
    Protocol    : SSH
    Message     : Nessus failed to load the SSH private key. Is the associated passphrase correct?

Look at the private key that you attach to the Nessus scan policy.

If it starts with “—– BEGIN OPENSSH PRIVATE KEY —–“, then the reason is clear

The authentication issue can be caused by using ssh-keygen OpenSSH version 7.8+. The default format for RSA\DSA key pairs is OPENSSH, as opposed to the previously used .pem format. Nessus does not currently support RSA\DSA key pairs in OPENSSH format. Nessus will not be able to parse the key. To check if the key is in OPENSSH format, cat the file in the CLI, or open the file in a text editor”.

So, how can you fix this?

Convert your private SSH key to PEM format using ssh-keygen tool:

ssh-keygen -p -m PEM -f /path/to/private_key

And attach the new key to the Nessus scan policy.

It is surprising of course that Nessus cannot recognize the key format and convert it automatically, but shows some strange errors instead. But this is the reality.

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

This entry was posted in Video, Vulnerability Management and tagged DSA, Nessus, OpenSSH, pem, RSA, SSH, ssh-keygen, Tenable on July 31, 2021.

Post navigation

← Last Week’s Security news: Pegasus, SeriousSAM, Sequoia

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK