Skip navigation
20845 Views 3 Replies Latest reply: Oct 4, 2013 7:35 AM by Andrey Kuznetsov RSS
Scott Miller Level 2 45 posts since
Nov 2, 2011
Currently Being Moderated

Apr 12, 2012 4:01 AM

How to create a Linux user

Qualys authenticated scans require a local account created on the host. I'll show you how to create this local user account!


The following guide applies to Red Hat / CentOS and Debian / Ubuntu Linux.

 


 

First, create a regular dedicated Qualys user account on your server with the adduser command.

 

 

Red Hat / CentOS:

 

# adduser scanner -G wheel

# passwd scanner

Changing password for scanner

New UNIX password:

Retype new UNIX password:

passwd: password updated successfully

 

 

 

 

Debian / Ubuntu:

 

user@debian:~$ sudo adduser scanner

Adding user `scanner' ...

Adding new group `scanner' (1001) ...

Adding new user `scanner' (1001) with group `scanner' ...

Creating home directory `/home/scanner' ...

Copying files from `/etc/skel' ...

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Changing the user information for scanner

Enter the new value, or press ENTER for the default

        Full Name []:

        Room Number []:

        Work Phone []:

        Home Phone []:

        Other []:

Is the information correct? [Y/n] y

 

 

 

Add to sudo group (Debian / Ubuntu specific step):

 

$ sudo gpasswd -a scanner sudo

Adding user scanner to group sudo

 

 

 


 

Next, manually login via ssh as that user to test ssh authentication is working and enabled for the user.

 

 

$ ssh scanner@host

The authenticity of host '10.112.12.60 (10.112.12.60)' can't be established.

RSA key fingerprint is 0d:7a:54:84:b3:cd:42:13:68:ea:aa:07:41:6e:5e:34.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.112.12.60' (RSA) to the list of known hosts.

scanner@hosts's password:

[scanner@localhost ~]$

 


 

Now generate ssh keys for use in the Qualys Authentication record. Passphrase must be blank (hit enter).

 

[scanner@localhost ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/scanner/.ssh/id_rsa):

Created directory '/home/scanner/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/scanner/.ssh/id_rsa.

Your public key has been saved in /home/scanner/.ssh/id_rsa.pub.

The key fingerprint is:

c5:a8:9e:6c:67:62:d4:e0:84:ea:5a:8f:02:0f:47:d4 scanner@localhost.localdomain

 

 


 

 

Next, display your private key on screen to copy onto the Qualys Authentication record. Keep this key secret.

 

[scanner@localhost ~]$ cat .ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----

MIIEoAIBAAKCAQEAlxaYx8dYRn8oAthkHUC0qON4fzw2H04Z28Lyxwo+aXNYSLuY

/gjjjkCi0UA2R1OT5XlKCB1QjPvPBjjlPhO5hCTuvLQWmSbG+8giS9f3MOAjmoDc

chG6PevD/v//95Gbs/FowNJ0RTVPN7KnqhD+dIR1E9zcPJN6bFUaPNDlcgftv6us

5HGs7SnX1vfNnxoX/0j6tl+fPgaGDYg3Mqo52BAj9sATR/Ji/KfR7WsJ9HE23X5U

XKFqVbVztIx0ojVMPS+A6pbmLE4sOqTzP8mItV/mkUHf+XkiBQt/g7JKQn8hPbJj

eCAd8HhDKruBHogQbg7Lq13HyxeO1EudrtCqKQIBIwKCAQB9L/rurHxXqy/H193s

Wi9KG4+54W6sOWXh+UzQzfkyzUkmUkuQqEeEfrLKouslJ/4zKfuDEPmZYu1c7VA6

v+LbNItL5axTAt9i56djaczQubcZnfh7xYuvphds4r4k5lxwhjI5XetPSW2F68zA

HLWTvjUfFhWRRv8JTdPpP18GtNbFnnfbkWNBNMn4XCEn5nVoytAH+g1gZ+qaNc2b

v5msHBT2e/elkWlEKcHNr6RvM0AeeMtUa/3fr+JVbCXQF+2or0+V5i9suAqbrfOo

lgghovOD2o0OGzyEyWjTVSwlBXs8N36FeZEfTdqCnErsBBYXXY1d2D7fYlOHbdZF

2GsLAoGBAMkoxPcCRqcpYNKzdMbNdg3fwQXm+QHbo97JV2DAxR2vtZeAZsPd/KLn

BMY/H4XJRyK9c6zIE85zxCRh2QbCUdODQfG4X43/xNtCDnmnDDJmekMQpgCoVKl4

CDT4K2HnySoy8tLafby061pnval9oNoAgXkCnV1nQMMwLPwQ55/xAoGBAMBHSsQf

ywC7tXJ8LlGP1IU/9EkvtGnuCIwgJN5L/d5G+t0X5wE4NJlQnMmBFm5D2pHGTLsC

htw96BIGFmxgU9V7lZA/gqNZ4CmvdRW7nlVScGvzIVhjbYfJcVBx/M2PIhuwau8X

BtVlN8aPSgpyZrHVxCOha/sy7V4Aq7l+lGW5AoGARPgJBDtLbIM3I6s9+wSdgRmE

AgYMOya711r5YwBDlSZM43x7AVNsj5+p3ZH8Ld6cC+ku+WkrXLn6Gxo7x82YZcaa

RD82tFexNTs4KbWdyCMimqafUK698PX0L2sHj0gntrJh4eSC4Z0dfhTwkeHuAZnF

/Zp/GLWvzeShtYIjh0sCgYBi4tX+dsAsQ0dfcxCBt68f9QFKNcp/nv0U3VTKGHPu

qCk+gVI7JDhO2QAtHdEFgftg6aPN5ArXqs8fNlSsw9NX2ShY0DSOhf5BUuvCCLfU

G8TJzX7c/+8v4/EiDryG+Sd79FRAcj4HWKBXfOQ/4xA+M2wvlNhyjzg++QfbvXDj

2wKBgAuv5S8Rh26mN6E3wuQHgnM4qWHMvjVhOXIi4+L28BF75frab3DSN1hbdDKQ

Vjhql4uSNBBwPV7Y1EQOY6Sl0oKCNubK8i8v6dLlxp4WppH5+nyOmwChvTK5Avzr

fxHpl9TjiDzgyjvgo+vcphtbcABy97CnN04bjmPtt+SEV0mm

-----END RSA PRIVATE KEY-----

 

 

 


Finally, create a Unix Qualys Authentication Record to use for authenticated scanning.

 

unix_record.png

 


 

Notes:

 

 

- Optionally ssh-keygen -t dsa can be executed to generate a DSA key. RSA keys generated with ssh-keygen are 2048 by default and are no longer patent encumbered. DSA key length is limited to 1024.

 

 

- wheel or sudo group access for sudo privileges is optional but recommended for full auditing.

  • Ron Brown Lurker 3 posts since
    Mar 20, 2013
    Currently Being Moderated
    Jun 13, 2013 9:54 AM (in response to Scott Miller)
    How to create a Linux user

    Hi Scott.  We hadn't been running authenticated scans against our Linux hosts, but we are wanting to start.  I followed this article and everything worked great.  I have one question.  Is this the only way to setup authenticated scans on LInux hosts, so basically we would have make a new Authentication record for each Linux machine that we want to run authenticated scans against?  Thanks.

  • Andrey Kuznetsov Lurker 1 posts since
    Feb 14, 2013
    Currently Being Moderated
    Oct 4, 2013 7:35 AM (in response to Scott Miller)
    How to create a Linux user

    Hi everyone,

     

    We have such issue:

    When the qualys authentication record account login to the *nix servers via ssh protocol version2 it receives standard message:

    «The authenticity of host can’t be established.

    RSA key fingerprint is XXXXXXXXXXXXXXXXXX.

    Are you sure you want to continue connecting (yes/no)?»

     

    Then qualys authentication record account can’t answer for it, ssh session ends & that’s why qualys authentication record account have authentication failure.

     

    Could we configure qualys authentication record somehow to answer for this standard message?

     

    Thanks in advance.

More Like This

  • Retrieving data ...

Bookmarked By (4)