-----BEGIN PGP SIGNED MESSAGE-----
Let me raise the issue on user authentication on the
nessus server. This is not the main goal of what nessus
was designed, for. But as nessus farms are feasible already,
this should be understood, somehow.
What we have got:
- - User authentication is done on the server by means of a
username and a static password.
- - Server authentication is done by registering and verifying
the public server key (cipher layer, only.)
What we need (proposal):
- - An open auth protocol frame on top of the current one for the
user authentication. It should support several authentication
schemes (login/passwd, challenge/response, etc?)
- - A user registering service on the server bundled with a cookie
exchange, so that the server uses the cookie as the secret (and
not the password) - see server authentication, above.
- - A forwarding service, so that a nessus server can delegate the
authentication request to another nessus server (authentication
- - A sort of auth multiplexor service (and the management, necessary)
so that the nessus server may consult an ACE server, an s/key data
base, an /etc/passwd file et. al. to authenticate a user.
If I understood Renaud right, he is planning to set up communication
between nessus servers for some reason. So we need at least an
abstract authentication scheme that allows us to view another nessus
server as user that has to be authenticated.
Finally, I'm not going to propose to mix the cipher layer with the
auth stuff. It must work independent of the former.
I volunteer to implement that auth stuff, but RFC, first. Maybe I'm
on the wrong side of the road and somebody sees that.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----