Enable SSH Public key Authentication

  1. At a system with FIPS enabled. Doing so ensures that the MD5 digest algorithm is not used during key generation. Servers, those FIPS-enabled or not, will be able to use the public key generated by the FIPS-enabled client.
    • # mkdir ~/keys/
    • # chmod 700 ~/keys/
    • # ssh-keygen -b 4096 -f ~/keys/id_rsa -t rsa
    • # chmod 400 ~/keys/*
    • Transfer the public key (id_rsa.pub) via authorized transfer method to target system /tmp directory.
    • Copy off the key pair and store in safe location.
  2. At target system(s):
    • # useradd testuser
    • # passwd -l testuser
    • # mkdir -p /etc/ssh/authorized_keys
    • # chmod 0755 /etc/ssh/authorized_keys
    • # chown -R root:root /etc/ssh/authorized_keys
    • # cat /tmp/id_rsa.pub > /etc/ssh/authorized_keys/testuser-authorized_keys
    • # chmod 400 /etc/ssh/authorized_keys/testuser-authorized_keys
    • # chown testuser:testuser /etc/ssh/authorized_keys/testuser-authorized_keys
    • Ensure following parameters are enabled in the OpenSSH daemon configuration file:
      • PubkeyAuthentication yes
      • AuthorizedKeysFile /etc/ssh/authorized_keys/%u-authorized_keys
      • Restart sshd if changes made to OpenSSH daemon configuration file.
  3. At Tenable.sc:
    • Add new SSH credential using “Public Key”
    • Perform scan with the newly created credential to ensure valid scan.