3 Replies Latest reply: Oct 4, 2013 7:35 AM by Andrey Kuznetsov RSS

How to create a Linux user

Scott Miller

Qualys authenticated scans require a local account created on the host. I'll show you how to create this local user account!


The following guide applies to Red Hat / CentOS and Debian / Ubuntu Linux.

 


 

First, create a regular dedicated Qualys user account on your server with the adduser command.

 

 

Red Hat / CentOS:

 

# adduser scanner -G wheel

# passwd scanner

Changing password for scanner

New UNIX password:

Retype new UNIX password:

passwd: password updated successfully

 

 

 

 

Debian / Ubuntu:

 

user@debian:~$ sudo adduser scanner

Adding user `scanner' ...

Adding new group `scanner' (1001) ...

Adding new user `scanner' (1001) with group `scanner' ...

Creating home directory `/home/scanner' ...

Copying files from `/etc/skel' ...

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Changing the user information for scanner

Enter the new value, or press ENTER for the default

        Full Name []:

        Room Number []:

        Work Phone []:

        Home Phone []:

        Other []:

Is the information correct? [Y/n] y

 

 

 

Add to sudo group (Debian / Ubuntu specific step):

 

$ sudo gpasswd -a scanner sudo

Adding user scanner to group sudo

 

 

 


 

Next, manually login via ssh as that user to test ssh authentication is working and enabled for the user.

 

 

$ ssh scanner@host

The authenticity of host '10.112.12.60 (10.112.12.60)' can't be established.

RSA key fingerprint is 0d:7a:54:84:b3:cd:42:13:68:ea:aa:07:41:6e:5e:34.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.112.12.60' (RSA) to the list of known hosts.

scanner@hosts's password:

[scanner@localhost ~]$

 


 

Now generate ssh keys for use in the Qualys Authentication record. Passphrase must be blank (hit enter).

 

[scanner@localhost ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/scanner/.ssh/id_rsa):

Created directory '/home/scanner/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/scanner/.ssh/id_rsa.

Your public key has been saved in /home/scanner/.ssh/id_rsa.pub.

The key fingerprint is:

c5:a8:9e:6c:67:62:d4:e0:84:ea:5a:8f:02:0f:47:d4 scanner@localhost.localdomain

 

 


 

 

Next, display your private key on screen to copy onto the Qualys Authentication record. Keep this key secret.

 

[scanner@localhost ~]$ cat .ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----

MIIEoAIBAAKCAQEAlxaYx8dYRn8oAthkHUC0qON4fzw2H04Z28Lyxwo+aXNYSLuY

/gjjjkCi0UA2R1OT5XlKCB1QjPvPBjjlPhO5hCTuvLQWmSbG+8giS9f3MOAjmoDc

chG6PevD/v//95Gbs/FowNJ0RTVPN7KnqhD+dIR1E9zcPJN6bFUaPNDlcgftv6us

5HGs7SnX1vfNnxoX/0j6tl+fPgaGDYg3Mqo52BAj9sATR/Ji/KfR7WsJ9HE23X5U

XKFqVbVztIx0ojVMPS+A6pbmLE4sOqTzP8mItV/mkUHf+XkiBQt/g7JKQn8hPbJj

eCAd8HhDKruBHogQbg7Lq13HyxeO1EudrtCqKQIBIwKCAQB9L/rurHxXqy/H193s

Wi9KG4+54W6sOWXh+UzQzfkyzUkmUkuQqEeEfrLKouslJ/4zKfuDEPmZYu1c7VA6

v+LbNItL5axTAt9i56djaczQubcZnfh7xYuvphds4r4k5lxwhjI5XetPSW2F68zA

HLWTvjUfFhWRRv8JTdPpP18GtNbFnnfbkWNBNMn4XCEn5nVoytAH+g1gZ+qaNc2b

v5msHBT2e/elkWlEKcHNr6RvM0AeeMtUa/3fr+JVbCXQF+2or0+V5i9suAqbrfOo

lgghovOD2o0OGzyEyWjTVSwlBXs8N36FeZEfTdqCnErsBBYXXY1d2D7fYlOHbdZF

2GsLAoGBAMkoxPcCRqcpYNKzdMbNdg3fwQXm+QHbo97JV2DAxR2vtZeAZsPd/KLn

BMY/H4XJRyK9c6zIE85zxCRh2QbCUdODQfG4X43/xNtCDnmnDDJmekMQpgCoVKl4

CDT4K2HnySoy8tLafby061pnval9oNoAgXkCnV1nQMMwLPwQ55/xAoGBAMBHSsQf

ywC7tXJ8LlGP1IU/9EkvtGnuCIwgJN5L/d5G+t0X5wE4NJlQnMmBFm5D2pHGTLsC

htw96BIGFmxgU9V7lZA/gqNZ4CmvdRW7nlVScGvzIVhjbYfJcVBx/M2PIhuwau8X

BtVlN8aPSgpyZrHVxCOha/sy7V4Aq7l+lGW5AoGARPgJBDtLbIM3I6s9+wSdgRmE

AgYMOya711r5YwBDlSZM43x7AVNsj5+p3ZH8Ld6cC+ku+WkrXLn6Gxo7x82YZcaa

RD82tFexNTs4KbWdyCMimqafUK698PX0L2sHj0gntrJh4eSC4Z0dfhTwkeHuAZnF

/Zp/GLWvzeShtYIjh0sCgYBi4tX+dsAsQ0dfcxCBt68f9QFKNcp/nv0U3VTKGHPu

qCk+gVI7JDhO2QAtHdEFgftg6aPN5ArXqs8fNlSsw9NX2ShY0DSOhf5BUuvCCLfU

G8TJzX7c/+8v4/EiDryG+Sd79FRAcj4HWKBXfOQ/4xA+M2wvlNhyjzg++QfbvXDj

2wKBgAuv5S8Rh26mN6E3wuQHgnM4qWHMvjVhOXIi4+L28BF75frab3DSN1hbdDKQ

Vjhql4uSNBBwPV7Y1EQOY6Sl0oKCNubK8i8v6dLlxp4WppH5+nyOmwChvTK5Avzr

fxHpl9TjiDzgyjvgo+vcphtbcABy97CnN04bjmPtt+SEV0mm

-----END RSA PRIVATE KEY-----

 

 

 


Finally, create a Unix Qualys Authentication Record to use for authenticated scanning.

 

unix_record.png

 


 

Notes:

 

 

- Optionally ssh-keygen -t dsa can be executed to generate a DSA key. RSA keys generated with ssh-keygen are 2048 by default and are no longer patent encumbered. DSA key length is limited to 1024.

 

 

- wheel or sudo group access for sudo privileges is optional but recommended for full auditing.

  • How to create a Linux user
    Ron Brown

    Hi Scott.  We hadn't been running authenticated scans against our Linux hosts, but we are wanting to start.  I followed this article and everything worked great.  I have one question.  Is this the only way to setup authenticated scans on LInux hosts, so basically we would have make a new Authentication record for each Linux machine that we want to run authenticated scans against?  Thanks.

    • Re: How to create a Linux user
      Scott Miller

      Hi,

       

      Yes you can have one single authentication record that works for all Linux hosts in your company.

       

      I would suggest establishing a dedicated 'scanner' Linux user account across all of your machines that has sudo privileges. Use the same SSH key or same password across all servers for this account.

       

      Then this one authentication record can do authenticated scanning across all machines.

       

       

      For security, there are ways to restrict or give other settings to the scanner user account in /etc/ssh/sshd_config on your servers:

       

       

      Match Address 172.16.1.202  #The IP of my Qualys scanner

      PasswordAuthentication yes

       

       

      This when placed at the bottom of sshd_config would allow password authentication but only from the Qualys scanner, as one example.

       

      Cheers,

  • How to create a Linux user
    Andrey Kuznetsov

    Hi everyone,

     

    We have such issue:

    When the qualys authentication record account login to the *nix servers via ssh protocol version2 it receives standard message:

    «The authenticity of host can’t be established.

    RSA key fingerprint is XXXXXXXXXXXXXXXXXX.

    Are you sure you want to continue connecting (yes/no)?»

     

    Then qualys authentication record account can’t answer for it, ssh session ends & that’s why qualys authentication record account have authentication failure.

     

    Could we configure qualys authentication record somehow to answer for this standard message?

     

    Thanks in advance.