OpenSSH Private Keys for Authentication

Summary

Nessus can now use OpenSSH formatted private keys for SSH authentication in local-checks scans.  OpenSSH only supports the "SSH" standard format for ED25519 keys, so when Nessus introduced support for ED25519 keys for SSH authentication, it had to support the native OpenSSH key format.  The change described here extends that support to private keys of the other SSH public key algorithm types.

Impact

Prior to this change, customers with RSA or ECDSA keys would either have to generate their key-pairs using "ssh-keygen -m pem" or use that command to convert existing  OpenSSH private keys to use with Nessus SSH credentials.  Now customers can generate SSH keys with either PEM or OpenSSH formatted private keys and use them with Tenable local-checks credentials for Nessus scans.

Explanation

SSH private keys are packaged on the file system as a base64 encoded block sandwiched inside of a text header and footer.  This is a super-encoding called "PEM".  OpenSSH's "ssh-keygen" command uses the labels "pem" or "pkcs8" to refer to the PKCS#8 binary encoding of data within the base64 encoded block.  When "ssh-keygen" is used to create keypairs without a specified encoding or with the tag "rfc4716", the base64 encoded block is in the binary format defined by RFC4716.

PKCS8 PEM encoded private keys have a header like "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN EC PRIVATE KEY-----" with corresponding footers.  RFC4716 PEM encoded private keys can be identified by a header that looks like "-----BEGIN OPENSSH PRIVATE KEY-----" with a corresponding footer.

Release Date

August 8, 2024