Connection to Greenbone not working via tls

Hello,

I’m trying to make Greenbone listen on port 9390 on a VM but it simply refuses to do so.

The command i use is:
sudo gvmd -a 127.0.0.1 -p 9000

There is no error message or anything, that could indicate that the command didn’t work.
When checking netstat -tupl there is nothing listening on port 9390 though.
Is there anything I’m missing here?

First of all DO NOT RUN gvmd as root!

Second gvmd will output errors only to the logfile. Please take a look at /var/log/gvm/gvmd.log for details about errors.

Third please take a look at the GVM Architecture and explain what you want to accomplish.

1 Like

Little correction first, I was trying to run: gvmd -a 127.0.0.1 -p 9390

The gvmd.log has following entry for the command:
main:MESSAGE:2019-07-08 08h33.40 utc:6164: Greenbone Vulnerability Manager version 8.0.0 (DB revision 205)
md main:WARNING:2019-07-08 08h33.40 utc:6164: main: Main process is already running

What I’m trying to do is establish a tls communication from a GMP Client to the gvmd. I’m using a VM for this, which has everything running on localhost. So far the only way to accomplish this is this for me:
gvm-cli socket --sockpath /var/run/gvmd.sock --gmp-username=admin --gmp-password=admin -X “<get_version/>”

Running the same command with tls I get following Error:
gvm-cli tls --hostname 127.0.0.1 --port 9390 --gmp-username=admin -X “<get_version/>”
Enter password for admin:
[Errno 111] Connection refused

In the older openvasmd Version, I could fulfill the get version request without providing a socket or anything: omp --username admin --xml="<get_version/>"

Having to provide a path to the socket is not desired, since I’m using a 3rd party program that is trying to connect to the gvmd (the code is tailored for the older openvasmd Version, but according to the docs it should still be compatible). The 3rd party program was able to connect to the openvasmd in the past, but since the rebrand to greenbone, it is unable to establish a connection.

You can use a config file with gvm-tools.

1 Like

Okay, thanks. I’ll look into it. Do you by any chance know why it keeps saying “Main process is already running” when i try to make it listen on port 9390?

Because likely another gvmd process is already running. Did you check the output of ps aux|grep gvmd?

1 Like

I get following output:
root 1000 0.0 4.0 423132 75788 ? SL 09:15 0:09 gvmd: Waiting for incoming connections
vagrant 9572 0.0 0.0 112708 988 pts/0 R+ 12:06 0:00 grep --color=auto gvmd

So I tried using the config file, but there seems to be something off. I cannot provide the gvm-cli with the --config argument.

gvm-cli --config ~/.config/gvm-tools.conf
No section: ‘Auth’
usage: gvm-cli [-h] [-V] [connection_type] …
gvm-cli: error: the following arguments are required: [connection_type]

So it’s still running under the permissions of root. Just a reminder: DO NOT RUN gvmd as root!

--config ~/.config/gvm-tools.conf is the default. So no need to set the argument.

I suppose you did install an older gvm-tools 1.x version. See https://gvm-tools.readthedocs.io/en/latest/install.html for installation hints.

1 Like

Thanks, will check it out. I’ve installed openvas/greenbone with the yum packet manager, which needs to be run as root. I suppose it gave all the rights to the root user because of it. I’ll change it ASAP :grin:

So I have uninstalled gvm-tools (had Version 1.4.x) and reinstalled it using pip install --user gvm-tools.
Now I have following Version of gvm-tools: gvm-cli 2.0.0.beta1. API version 1.0.0.beta2

The problem sadly still persists: gvm-cli
usage: gvm-cli [-h] [-V] [connection_type] …
gvm-cli: error: the following arguments are required: [connection_type]

You already did solve

Just seet the wanted connection type:

  [connection_type]
    ssh              Use SSH connection for gmp service.
    tls              Use TLS secured connection for gmp service.
    socket           Use UNIX-Socket connection for gmp service.

So I tried running the command with the config:
gvm-cli socket -c /home/vagrant/.config/gvm-tools.conf -X "<get_version/>"

Which returned this:
No section: 'Auth’
[Errno 2] No such file or directory

My gvm-tools.conf file looks like this:

 [main]
 timeout = 300

[gmp]
username=admin
password=admin

[unixsocket]
socketpath=/var/run/gvmd.sock

I’m also still running it as root as I couldn’t find out how to do it otherwise.

Last time DO NOT RUN gvmd, gsad, gvm-tools as root. You are running a security scanner in a highly insecure way!

  1. Start gvmd as a dedicated user with –listen-mode= , --listen-owner= or --listen-group to adjust permissions on the unix socket (also check permissions in /var/log/gvm, /var/run/gvm)
  2. Install gvm-tools as NORMAL user via pip install --user gvm-tools
  3. Check if gvm-tools are version 2.0betaX via gvm-cli --version
  4. Edit the config under ~/.config/gvm-tools.conf
  5. Run it gvm-cli socket -X "<get_version/>" (no need to set the config explicitly)
1 Like

Okay, I killed the process and gvmd is now running on the “vagrant” user.

I changed all permissions under /var/log/gvm/ and /var/run/gvm to the user “vagrant”. After that I ran following command to change the owner of the socket.
# gvmd --listen-owner=vagrant --listen-group=vagrant

I uninstalled gvm-tools and installed it for the vagrant user with:
# pip install --user gvm-tools

# gvm-cli -V
gvm-cli 2.0.0.beta1. API version 1.0.0.beta2
 [main]
 timeout = 300

[gmp]
username=admin
password=admin

[unixsocket]
socketpath=/var/run/gvmd.sock

Unfortunately, the same issue still persists:
# gvm-cli socket -X "<get_version/>"
[Errno 2] No such file or directory

This error means the unix socket couldn’t be found. I’ve already improved the error message in the master branch. Please check if /var/run/gvmd.sock is available and accessible.

I can run gvm-cli socket --sockpath /var/run/gvmd.sock --gmp-username=admin --gmp-password=admin -X “<get_version/>” without any issues.
It returns:
<get_version_response status=“200” status_text=“OK”>8.0</get_version_response>
Is that enough to verify it?

Yes. You can communicate with gvmd and your authentication is working.

1 Like

Okay. So after digging more I now know that essentially I need to get TLS working cause that was the default connection type for the older protocol. For the gvm-tools.conf it says I need to provide the path to the tls.cert, tls.key and tls.ca. Where are they typically stored?

I’m able to run gvmd with TLS now, but only as root. When trying to do it with the vagrant user, I get this error.

sql_open: failed to stat database: Permission denied