3 Replies Latest reply on Oct 4, 2013 7:35 AM by Andrey Kuznetsov

    How to create a Linux user

    Scott Miller Level 2

      Qualys authenticated scans require a local account created on the host. I'll show you how to create this local user account!


      The following guide applies to Red Hat / CentOS and Debian / Ubuntu Linux.

       


       

      First, create a regular dedicated Qualys user account on your server with the adduser command.

       

       

      Red Hat / CentOS:

       

      # adduser scanner -G wheel

      # passwd scanner

      Changing password for scanner

      New UNIX password:

      Retype new UNIX password:

      passwd: password updated successfully

       

       

       

       

      Debian / Ubuntu:

       

      user@debian:~$ sudo adduser scanner

      Adding user `scanner' ...

      Adding new group `scanner' (1001) ...

      Adding new user `scanner' (1001) with group `scanner' ...

      Creating home directory `/home/scanner' ...

      Copying files from `/etc/skel' ...

      Enter new UNIX password:

      Retype new UNIX password:

      passwd: password updated successfully

      Changing the user information for scanner

      Enter the new value, or press ENTER for the default

              Full Name []:

              Room Number []:

              Work Phone []:

              Home Phone []:

              Other []:

      Is the information correct? [Y/n] y

       

       

       

      Add to sudo group (Debian / Ubuntu specific step):

       

      $ sudo gpasswd -a scanner sudo

      Adding user scanner to group sudo

       

       

       


       

      Next, manually login via ssh as that user to test ssh authentication is working and enabled for the user.

       

       

      $ ssh scanner@host

      The authenticity of host '10.112.12.60 (10.112.12.60)' can't be established.

      RSA key fingerprint is 0d:7a:54:84:b3:cd:42:13:68:ea:aa:07:41:6e:5e:34.

      Are you sure you want to continue connecting (yes/no)? yes

      Warning: Permanently added '10.112.12.60' (RSA) to the list of known hosts.

      scanner@hosts's password:

      [scanner@localhost ~]$

       


       

      Now generate ssh keys for use in the Qualys Authentication record. Passphrase must be blank (hit enter).

       

      [scanner@localhost ~]$ ssh-keygen -t rsa

      Generating public/private rsa key pair.

      Enter file in which to save the key (/home/scanner/.ssh/id_rsa):

      Created directory '/home/scanner/.ssh'.

      Enter passphrase (empty for no passphrase):

      Enter same passphrase again:

      Your identification has been saved in /home/scanner/.ssh/id_rsa.

      Your public key has been saved in /home/scanner/.ssh/id_rsa.pub.

      The key fingerprint is:

      c5:a8:9e:6c:67:62:d4:e0:84:ea:5a:8f:02:0f:47:d4 scanner@localhost.localdomain

       

       


       

       

      Next, display your private key on screen to copy onto the Qualys Authentication record. Keep this key secret.

       

      [scanner@localhost ~]$ cat .ssh/id_rsa

      -----BEGIN RSA PRIVATE KEY-----

      MIIEoAIBAAKCAQEAlxaYx8dYRn8oAthkHUC0qON4fzw2H04Z28Lyxwo+aXNYSLuY

      /gjjjkCi0UA2R1OT5XlKCB1QjPvPBjjlPhO5hCTuvLQWmSbG+8giS9f3MOAjmoDc

      chG6PevD/v//95Gbs/FowNJ0RTVPN7KnqhD+dIR1E9zcPJN6bFUaPNDlcgftv6us

      5HGs7SnX1vfNnxoX/0j6tl+fPgaGDYg3Mqo52BAj9sATR/Ji/KfR7WsJ9HE23X5U

      XKFqVbVztIx0ojVMPS+A6pbmLE4sOqTzP8mItV/mkUHf+XkiBQt/g7JKQn8hPbJj

      eCAd8HhDKruBHogQbg7Lq13HyxeO1EudrtCqKQIBIwKCAQB9L/rurHxXqy/H193s

      Wi9KG4+54W6sOWXh+UzQzfkyzUkmUkuQqEeEfrLKouslJ/4zKfuDEPmZYu1c7VA6

      v+LbNItL5axTAt9i56djaczQubcZnfh7xYuvphds4r4k5lxwhjI5XetPSW2F68zA

      HLWTvjUfFhWRRv8JTdPpP18GtNbFnnfbkWNBNMn4XCEn5nVoytAH+g1gZ+qaNc2b

      v5msHBT2e/elkWlEKcHNr6RvM0AeeMtUa/3fr+JVbCXQF+2or0+V5i9suAqbrfOo

      lgghovOD2o0OGzyEyWjTVSwlBXs8N36FeZEfTdqCnErsBBYXXY1d2D7fYlOHbdZF

      2GsLAoGBAMkoxPcCRqcpYNKzdMbNdg3fwQXm+QHbo97JV2DAxR2vtZeAZsPd/KLn

      BMY/H4XJRyK9c6zIE85zxCRh2QbCUdODQfG4X43/xNtCDnmnDDJmekMQpgCoVKl4

      CDT4K2HnySoy8tLafby061pnval9oNoAgXkCnV1nQMMwLPwQ55/xAoGBAMBHSsQf

      ywC7tXJ8LlGP1IU/9EkvtGnuCIwgJN5L/d5G+t0X5wE4NJlQnMmBFm5D2pHGTLsC

      htw96BIGFmxgU9V7lZA/gqNZ4CmvdRW7nlVScGvzIVhjbYfJcVBx/M2PIhuwau8X

      BtVlN8aPSgpyZrHVxCOha/sy7V4Aq7l+lGW5AoGARPgJBDtLbIM3I6s9+wSdgRmE

      AgYMOya711r5YwBDlSZM43x7AVNsj5+p3ZH8Ld6cC+ku+WkrXLn6Gxo7x82YZcaa

      RD82tFexNTs4KbWdyCMimqafUK698PX0L2sHj0gntrJh4eSC4Z0dfhTwkeHuAZnF

      /Zp/GLWvzeShtYIjh0sCgYBi4tX+dsAsQ0dfcxCBt68f9QFKNcp/nv0U3VTKGHPu

      qCk+gVI7JDhO2QAtHdEFgftg6aPN5ArXqs8fNlSsw9NX2ShY0DSOhf5BUuvCCLfU

      G8TJzX7c/+8v4/EiDryG+Sd79FRAcj4HWKBXfOQ/4xA+M2wvlNhyjzg++QfbvXDj

      2wKBgAuv5S8Rh26mN6E3wuQHgnM4qWHMvjVhOXIi4+L28BF75frab3DSN1hbdDKQ

      Vjhql4uSNBBwPV7Y1EQOY6Sl0oKCNubK8i8v6dLlxp4WppH5+nyOmwChvTK5Avzr

      fxHpl9TjiDzgyjvgo+vcphtbcABy97CnN04bjmPtt+SEV0mm

      -----END RSA PRIVATE KEY-----

       

       

       


      Finally, create a Unix Qualys Authentication Record to use for authenticated scanning.

       

      unix_record.png

       


       

      Notes:

       

       

      - Optionally ssh-keygen -t dsa can be executed to generate a DSA key. RSA keys generated with ssh-keygen are 2048 by default and are no longer patent encumbered. DSA key length is limited to 1024.

       

       

      - wheel or sudo group access for sudo privileges is optional but recommended for full auditing.

        • How to create a Linux user
          Ron Brown Lurker

          Hi Scott.  We hadn't been running authenticated scans against our Linux hosts, but we are wanting to start.  I followed this article and everything worked great.  I have one question.  Is this the only way to setup authenticated scans on LInux hosts, so basically we would have make a new Authentication record for each Linux machine that we want to run authenticated scans against?  Thanks.

            • Re: How to create a Linux user
              Scott Miller Level 2

              Hi,

               

              Yes you can have one single authentication record that works for all Linux hosts in your company.

               

              I would suggest establishing a dedicated 'scanner' Linux user account across all of your machines that has sudo privileges. Use the same SSH key or same password across all servers for this account.

               

              Then this one authentication record can do authenticated scanning across all machines.

               

               

              For security, there are ways to restrict or give other settings to the scanner user account in /etc/ssh/sshd_config on your servers:

               

               

              Match Address 172.16.1.202  #The IP of my Qualys scanner

              PasswordAuthentication yes

               

               

              This when placed at the bottom of sshd_config would allow password authentication but only from the Qualys scanner, as one example.

               

              Cheers,

            • How to create a Linux user
              Andrey Kuznetsov Lurker

              Hi everyone,

               

              We have such issue:

              When the qualys authentication record account login to the *nix servers via ssh protocol version2 it receives standard message:

              «The authenticity of host can’t be established.

              RSA key fingerprint is XXXXXXXXXXXXXXXXXX.

              Are you sure you want to continue connecting (yes/no)?»

               

              Then qualys authentication record account can’t answer for it, ssh session ends & that’s why qualys authentication record account have authentication failure.

               

              Could we configure qualys authentication record somehow to answer for this standard message?

               

              Thanks in advance.