[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Nessusd authentication



Let me raise the issue on user authentication on the
nessus server.  This is not the main goal of what nessus
was designed, for.  But as nessus farms are feasible already,
this should be understood, somehow.

What we have got:

- - User authentication is done on the server by means of a
  username and a static password.

- - Server authentication is done by registering and verifying 
  the public server key (cipher layer, only.)

What we need (proposal):

- - An open auth protocol frame on top of the current one for the 
  user authentication. It should support several authentication 
  schemes (login/passwd, challenge/response, etc?)

- - A user registering service on the server bundled with a cookie
  exchange, so that the server uses the cookie as the secret (and 
  not the password) - see server authentication, above.

- - A forwarding service, so that a nessus server can delegate the
  authentication request to another nessus server (authentication
  proxy sevice.)

- - A sort of auth multiplexor service (and the management, necessary)
  so that the nessus server may consult an ACE server, an s/key data 
  base, an /etc/passwd file et. al. to authenticate a user.

If I understood Renaud right, he is planning to set up communication
between nessus servers for some reason.  So we need at least an
abstract authentication scheme that allows us to view another nessus
server as user that has to be authenticated.

Finally, I'm not going to propose to mix the cipher layer with the
auth stuff.  It must work independent of the former.

I volunteer to implement that auth stuff, but RFC, first.  Maybe I'm 
on the wrong side of the road and somebody sees that.


Version: 2.6.3ia
Charset: noconv


Reply to: