SSH Public Key Authentication rsa-sha2-256 and rsa-sha2-512 RSA algorithm support

Summary

Tenable is updating Nessus plugins libraries to allow customers to utilize the more secure SHA2 RSA algorithms for public key authentication on their systems. For years, Tenable products have supported the use of RSA public/private keys for both system use and for client key authentication, and we have been working on supporting newer and more secure RSA key algorithms. Currently, Tenable products will support the older ssh-rsa method, which relies on less secure SHA1 hashing. For customers seeking a more secure scanning and security configuration experience, Tenable products will now attempt to use rsa-sha2-256 or rsa-sha2-512 as the RSA key algorithm when RSA public keys are used, if those mechanisms are supported by the scanned system.

Impact

Customers currently executing client or server authentication using ESA public and private keys will now be able to do so using more secure encryption algorithms. This means that restrictive crypto policies such as "FUTURE" or "FIPS" on RedHat family operating systems, as well as restrictive settings on other OSes and devices, will now be able to connect using RSA keys. Customers who wish to remove ssh-rsa as an RSA key algorithm option in devices scanned by Tenable products should now be able to without a loss of scanning ability.

Changes

Any customers wishing to use rsa-sha2-256 or rsa-sha2-512 as their RSA key algorithm for public key authentication will need to ensure that one or both of those algorithms are supported key algorithms for the SSH server on their devices. If they are supported, Tenable products will use them, defaulting to the strongest rsa-sha2-512 if available, rsa-sha2-256 if 512 isn't, or returning to weaker ssh-rsa if neither algorithm is noted as being available by the scanned system.

Target Release Date

28 FEB 2022