Questions regarding gvm-cli and GMP functionnality in GCE edition

zouzeeater · October 22, 2019, 11:23am

Hello

i didn’t find explicit answer to my question so pardon me if it’s already written somewhere.
I am currently testing GCE appliance (the lateste available from web-site), installed on a business Vmware hypervisor LAB.

I deployed the appliance, configured local unix account and password + IP & gw.
I created some users using the (functionning) webGUI: some with admin profiles, super admin profiles and others with user profiles.

At the moment i’m trying to use gvm-cli (gvm-cli 2.1.0.dev1 (API version 1.0.0)) but it seems not to work, even with credentials provided:

florian@XXX$ gvm-cli -c gvm-tools.conf --protocol GMP ssh --hostname yyy.yyy.yyy.yyy -X “<get_version/>”
(‘SSH Connection failed’, AuthenticationException(‘Authentication failed.’,))

where yyy.yyy.yyy.yyy is the IP of the appliance (which works because webGui is oK, auth included)

My gvm-tools.conf file contains:

[gmp]
username=XX
password=XX

[ssh]
ssh-username=YY
ssh-password=YY

Am i missing something (in config file for instance) or is the cli not working with GMP for GCE edition ?
From my understanding you should have 2 levels of password when using ssh to connect to gmp:

ssh-username to connect to the appliance, and username to connecte to the GMP (as you can do from webGui), is it right ?

bricks · October 23, 2019, 6:52am

Could you try to just drop the ssh section from the config and run gvm-cli again?

zouzeeater · October 23, 2019, 7:55am

Hi Bricks,

thanx for your reply.
Unfortunately it still not work.

In parrallel of your responses, and re-re-read again the and i’ve seen this text section from GSM 5.0 manual:

15.2. Activating GMP

Before GMP can be used, it has to be activated on the GSM.

While the web interface uses GMP locally on the appliance, GMP is not remotely accessible via the network by default.

The remote GMP service can be activated using the GOS administration menu (see Chapter 7.2.3.2).

In general, the access to GMP is authenticated and encrypted with SSL/TLS. The same users as for the web interface are used. The users are subject to the same restrictions and have the same permissions.

It says explicitly that GMP works “locally” for WebGUI, but is not accessible via the network by default.
The thing is that the GMP service activation is not possible for me on the GSM-CE appliance: the appropriate item “GMP” in menu “Setup>Service” is not shown. Is it a normal behaviour due to the fact that it is a Community edition, or the reason is elsewhere ?

Same for activating root access via su in case of debug (which i wanted to test do debug my case as i’m juste experiencing GCE, it’s not a PROD use-case at the moment):

Furthermore, when i try to authenticate, here is what i found from appliance log:
When i try to authenticate using only GMP section in my conf file with a GUI working account previously created
[gmp]
username=superwebadmin
password=xxxxxxxx

with the following cmd syntax:
$ gvm-cli -c gvm-tools.conf --protocol GMP ssh --hostname 10.2.2.198 --xml “<get_version/>” -r --pretty

Oct 23 07:45:20 gsm sshd[27264]: Failed password for gmp from 10.2.2.173 port 60186 ssh2
Oct 23 07:45:20 gsm sshd[27264]: Connection closed by 10.2.2.173 port 60186 [preauth]

It’s weird as logs refer to “gmp” user authenticaton as i provided “superwebadmin” as login in conf file.

When i only use ssh section in my conf file:

[ssh]
username=admin
password=xxxxxxx

authentication suceess, but it seems no interaction with GMP occures, session only open and close:

gvm-cli -c gvm-tools.conf --protocol GMP ssh --hostname 10.2.2.198 --xml “<get_version/>” -r --pretty
Remote closed the connection

Oct 23 07:51:15 gsm sshd[27473]: Accepted password for admin from 10.2.2.173 port 60196 ssh2
Oct 23 07:51:15 gsm sshd[27473]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Oct 23 07:51:15 gsm sshd[27473]: pam_unix(sshd:session): session closed for user admin

Any clue ?

Martin · October 23, 2019, 8:03am

The Greenbone Community Edition does not support GMP remotely, see https://www.greenbone.net/en/community-edition/ section “Protocols”.

zouzeeater · October 23, 2019, 8:14am

Ok my mistake, i’ve seen the other protocols, but not GMP.
I guess the behaviour is then normal.

Sorry for the time you all lost on that ticket.
Thanx.