SSH Proxy Setup for scanning

Owned by Conor McCann
Last updated: May 31, 2018

SSH Proxy Connection details:

Credential Escalation The normal use of a credential is a direct login into a device. The iQSonar Scan Engine takes the credential, creates a suitable connection and passes the credential over the connection to access the remote device.

Credential escalation is required when the above use of direct credentials login is not possible. The connectivity from the scan engine to the target does not allow a direct login into the remote device.

Parent credential: That provides the login user and password for a device or a group of devices. This credential should be created as if a direct connection to the device(s) was available. The only modification is that the connection type should be set to SSHProxy.

Child credential: The child credential provides a login user and password to access the proxy. The child credential allows the specification of the ongoing connection method and allows credential information provided in the parent credential to be used to remotely access the device through the proxy.

The parent child credential set allows this two stage process to be created.


The Child credential (proxy credential) is likely to be shared between a number of Parent credentials. For this reason, once the child credential is attached to a parent credential, the child is no longer editable from the UI. This is to ensure that modification to the proxy credential is modified in a controlled manner. 





Step-by-Step guide:

The SSH Proxy credentials need to be set up manually because, at the moment, they cannot be imported. This configuration will scan a server through a SSH Proxy. To do this do the following:

  1. Navigate to the Locations page on the application

  2. Select the location you want to set up the credential for

    You cannot use normal SSH and Proxy connection for the same location, you have to choose if you want to use SSH or Proxy connection

  3. Click on Connections tab
  4. Locate SSH and Telnet connections
  5. Deselect SSH and Telnet
  6. Press Save
  7. Navigate to Credentials tab of that location
  8. Click on the Create button
  9. Select SSH Proxy from the Credential Type drop down

  10. Where:
    Proxy Username/Password are the credentials to connect to the Proxy server.
    Proxy address is the IP for the proxy server.
    Port is the port SSH server is listening on.
    Proxy Command: ssh -l {username} -o StrictHostKeyChecking=no {target}

    Note

    Please note this proxy command is issued from the Proxy server when connecting to the target. This command will not be valid for all the environments and will need to be tested before deployment.

    To test you need to SSH to the proxy server and issue the command connecting to the target.

    i.e. ssh -l {proxyscan} -o StrictHostKeyChecking=no {target}

    Once you issue the command you should be presented with the SSH prompt on the target system.

    Proxy Prompt: When the proxy server connects to the target, if a password has been specified in the Parent credential, the SSH Proxy Connector will search the output coming back from the target for a line
    starting with this prompt.  Once that line is received, the Parent password will be sent to the target through the proxy server.

  11. Click the "Save & Close" button

Create Target Credential

  1. Create a new SSH credential:
  2. Select credential type Unix Linux
  3. Create a label that will make it easy to identity the credential
  4. Insert the username that will be used to establish the connection from the proxy server to the target
  5. From the Child Credential drop-down menu select the desired proxy credential to be used.
  6. Click the "Save & Close" button