Enterprise Recon 2.5.0

Target Credentials

Manage credentials for Target locations that require user authentication for access in the Target Credentials page.

The section covers the following topics:

Credential Permissions

Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for Target credentials.

Operation Definition Users with Access
View credentials Access to view credentials when setting up a scan or via the Resource Permissions Manager.
  1. Global Admin.
  2. Permissions Manager.
  3. Users that have Use or Edit Credential privileges assigned through Resource Permissions.
Add credentials User can add credentials when setting up a Scan for a Target.
  1. Global Admin.
  2. Users that have Scan privileges assigned through Resource Permissions.
Add credentials (Global) User can add credentials for all Target platforms via Target Credential Manager.
  1. Global Admin.
Use credentials Access to use credentials when scanning a Target.
  1. Global Admin.
  2. Users that have Use Credential privileges assigned through Resource Permissions.
Edit credentials User can edit credentials.
  1. Global Admin.
  2. Users that have Edit Credential privileges assigned through Resource Permissions.

Global Admin users have full access to all credentials. A Permissions Manager user can view all existing credentials and assign users permissions to use or edit these credentials via the Resource Permissions Manager.

All users can Add Target Credentials, but can only use or edit the credential sets to which they have been explicitly assigned permissions to.

See Resource Permissions for more information.

Using Credentials

Credential sets that are saved in Target Credentials appear in the Stored Credentials field when adding Targets to scan.

List of credentials that a user has permissions to listed in the Store Credentials dropdown box.

You can use a new credential set when you enter a value in the Credential Label, Username and Password fields.

Once the Target is added to ER2, the Credential Details that were provided are automatically saved to Target Credentials under the specified Credential Label.

Add Target Credentials

A user can add new credentials to ER2 in two ways:

  • When you Start a Scan, the credentials used for that scan are saved to ER2.
  • Add a credential set through the Target Credentials page.

Example of adding a Server Target credential set with the label set to "Server Credentials" in the Target Credentials.

Add a Credential Set Through the Target Credentials

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Target Credentials.
  3. On the top-right of the Target Credentials page, click + Add.
  4. In the New Credentials page, enter a descriptive label in the Credential Label field.
  5. Select the Target Type:

    Target Type Description
    Cloud

    From the Storage Provider list, select your cloud storage provider.

    Each cloud storage provider requires different credential formats. See Add Targets.

    Example of adding an Amazon S3 credential set with the label set to "Cloud Credentials" in the Target Credential Manager.

    Server

    In the New Credentials page, enter your:

    Example of adding a Server Target credential set with the label set to "Server Credentials" in the Target Credential Manager.

Edit Target Credentials

You can edit previously saved credentials through Target Credentials:

  1. Hover over the Target credential set that you want to edit on the Target Credentials page.
  2. Click Edit to edit the credentials.

Set up SSH Public Key Authentication

The following example values are used in the sample command lines below:

  • Proxy Agent host name: AGENT-HOST-A
  • Proxy Agent user name: user-A
  • Remote Target host name: REMOTE-HOST-B
  • Remote Target user name: user-B

To set up a SSH Public / Private Key-pair for authentication:

  1. Login to the Proxy Agent host machine AGENT-HOST-A.
  2. Open a terminal and run the following command to generate a SSH public / private key-pair:

    ssh-keygen -t rsa

  3. The ssh-keygen command asks for the following information:

    Prompt Response
    Enter file in which to save the key (/home/user-A/.ssh/id_rsa): Leave as default and press Enter key.
    Enter passphrase (empty for no passphrase): Enter passphrase and press Enter key.
    Enter same passphrase again: Re-enter passphrase and press Enter key.
  4. In the same terminal on AGENT-HOST-A, use ssh to create a directory ~/.ssh as user-B on REMOTE-HOST-B and enter user-B's password when prompted.

    ssh user-B@REMOTE-HOST-B 'mkdir -p ~/.ssh'

  5. Append user-A's new public key to the user-B@REMOTE-HOST-B:~/.ssh/authorized_keys file on REMOTE-HOST-B and enter user-B's password when prompted.

    cat ~/.ssh/id_rsa.pub | ssh user-B@REMOTE-HOST-B 'cat » ~/.ssh/authorized_keys'

  6. On the Proxy Agent host machine (e.g. AGENT-HOST-A), convert the private key file ~/.ssh/id_rsa to the required .pem format. Enter the passphrase for the private key (from Step 3) when prompted.

    # Syntax: openssl rsa -in <input-private-key-file> -outform PEM -out <output-pem-file> openssl rsa -in ~/.ssh/id_rsa -outform PEM -out ~/.ssh/id_rsa.pem

  7. Login to the remote Target host machine REMOTE-HOST-B.
  8. Change the folder and file permissions as follows:

    chown user-B ~/.ssh ~/.ssh/authorized_keys chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys

  9. Check the /etc/ssh/sshd_config file and verify that Public Key Authentication is allowed for the remote Target host.

    # The following line must be uncommented PubkeyAuthentication yes