Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSH Proxy Connection details:

Credential Escalation The normal use of a credential is a direct login into a device. The iQSonar Scan Engine takes the credential, creates a suitable connection and passes the credential over the connection to access the remote device.

Image Added

Credential escalation is required when the above use of direct credentials login is not possible. The connectivity from the scan engine to the target does not allow a direct login into the remote device.

Image Added

Parent credential: That provides the login user and password for a device or a group of devices. This credential should be created as if a direct connection to the device(s) was available. The only modification is that the connection type should be set to SSHProxy.

Child credential: The child credential provides a login user and password to access the proxy. The child credential allows the specification of the ongoing connection method and allows credential information provided in the parent credential to be used to remotely access the device through the proxy.

The parent child credential set allows this two stage process to be created.

Image Added


The Child credential (proxy credential) is likely to be shared between a number of Parent credentials. For this reason, once the child credential is attached to a parent credential, the child is no longer editable from the UI. This is to ensure that modification to the proxy credential is modified in a controlled manner. 






Step-by-Step guide:

The SSH Proxy credentials need to be set up manually because, at the moment, they cannot be imported. This configuration will scan a server through a SSH Proxy. To do this do the following:

  1. Navigate to the Locations page on the application
  2. Navigate to SSH Proxy location
  3. Select the location you want to set up the credential for

    Warning

    You cannot use normal SSH and Proxy connection for the same location, you have to choose if you want to use SSH or Proxy connection


  4. Click on Connections tab
    Image Added
  5. Locate SSH and Telnet connections
  6. Deselect SSH and Telnet
  7. Press Save
  8. Navigate to Credentials tab of that location
  9. Click on the Create button
    Image RemovedImage Added
  10. Select SSH Proxy from the Credential Type drop down
  11. Enter a Label of "root-Password"
  12. Enter a "Proxy User Name" of "root"
  13. Enter a "Proxy Password" of "Falcon99"
  14. Enter a "Proxy Address" of "192.168.4.18"
  15. Enter a "Proxy Port" of "22"
  16. Enter a "Proxy Command" of "ssh -l {usernameImage Added
  17. Where:
    Proxy Username/Password are the credentials to connect to the Proxy server.
    Proxy address is the IP for the proxy server.
    Port is the port SSH server is listening on.
    Proxy Command: ssh -l {username} -o StrictHostKeyChecking=no {target}

    Info
    titleNote

    Please note this proxy command is issued from the Proxy server when connecting to the target. This command will not be valid for all the environments and will need to be tested before deployment.

    To test you need to SSH to the proxy server and issue the command connecting to the target.

    i.e. ssh -l {proxyscan} -o StrictHostKeyChecking=no {

    hostname}"Enter a "Proxy Prompt" of "Password"

    target}

    Once you issue the command you should be presented with the SSH prompt on the target system.

    Proxy Prompt: When the proxy server connects to the target, if a password has been specified in the Parent credential, the SSH Proxy Connector will search the output coming back from the target for a line
    starting with this prompt.  Once that line is received, the Parent password will be sent to the target through the proxy server.

  18. Click the "Save & Close" button

Associate the Child Credential with the Parent Credential

  • On the parent credential - in this case the "Unix Linux" credential with label "root-falcon" click the "Edit" button
  • Click on the "Child Credential" drop down
  • Select the child credential - In this case "root-Falcon99" labelled

    Create Target Credential

    1. Create a new SSH credential:
      Image Added
    2. Select credential type Unix Linux
    3. Create a label that will make it easy to identity the credential
    4. Insert the username that will be used to establish the connection from the proxy server to the target
    5. From the Child Credential drop-down menu select the desired proxy credential to be used.
    6. Click the "Save & Close" button

    Image Removed

    Related issues Jira LegacyserverIdf64ffcc9-ad0d-3255-a217-cd901e9e7336keyCS-1441