SSH

Integrate Linux systems with vScope via SSH to retrieve comprehensive system data, such as CPU, memory, storage, and network configurations. vScope supports two authentication methods:

1. User & Password Credential
2. Private Key Credential

---

User & Password Credential

Input username and password to be used to inventory the assets.

Private Key Credential

Private key credential allows authentication with a user name and private key.

Setting Up Public Key Authentication

For public key authentication, select Private Key Credential in the credential type dropdown.

The following private key formats are supported:

RSA Private Key - PKCS#1 format

-----BEGIN RSA PRIVATE KEY-----
[Private Key Content]
-----END RSA PRIVATE KEY-----

EC (Elliptic Curve) - SEC1 format

-----BEGIN EC PRIVATE KEY-----
[Private Key Content]
-----END EC PRIVATE KEY-----

OpenSSH

-----BEGIN OPENSSH PRIVATE KEY-----
[Private Key Content]
-----END OPENSSH PRIVATE KEY-----

Note

Requirements: vScope currently does not support the Putty (PPK) format. Instead, convert the key to another supported format.

Settings

SSH comes with default values that should work in most environments but you may change them to suit your needs.

Advanced Settings

• Try inventory without sudo first - Try every command without running it as sudo first. If not enabled then every command will be run prefixed with sudo.

Note

If using private key credential as authentication and Try inventory without sudo first is disabled then passwordless sudo must be configured.

• Oracle Smart Targets - Report any Oracle database instances as smart targets.

Note

Oracle Smart Targets requires that the Oracle credential advanced setting Only Scan This Connect Descriptor is disabled, otherwise reported Oracle database instances from the SSH probe will not be scanned using that Oracle credential.

Furthermore, the Oracle credential must be attached to a target that matches the IP of the reported instance or the “All Oracle” Smart Target.

Passwordless sudo

Passwordless sudo means that it is possible to run commands with sudo without being prompted for the user password and is required if using private key credential as authentication and Try inventory without sudo first is disabled.

It is configured by setting NOPASSWD in the sudoers file. To edit the file:

sudo visudo

To give user vscope full sudo access without password prompt:

vscope ALL=(ALL) NOPASSWD:ALL

This is recommended for “finding out” which commands that vScope needs access to and then declaring those commands in the sudoers file. Here is an example giving vscope access to fdisk, pvdisplay and vgdisplay:

vscope ALL=(ALL) NOPASSWD:/usr/sbin/fdisk -l, /usr/sbin/pvdisplay, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay

Commands must be specified with their full path. To find the location of a command you can use:

whereis pvdisplay

vScope will almost never use the full path when executing commands. Instead of calling /usr/sbin/fdisk -l it will use fdisk -l. If the command is not accessible without the full path you must add an alias in the shell config for the vScope user.

Commands must also be specified including any parameters. In the example above, execution of

fdisk -l

is allowed but execution of

fdisk

is not allowed.

SSH Probing Process

1. Identify System Flavor
   vScope begins by running the command uname -a to identify the Unix-like OS flavor of the target system.

2. Running Commands
   For each command it intends to run, vScope first checks if the command is available on the target system:

   • It issues command -v {cmd} to confirm the command’s availability.
   • If the command is not found this way, it also searches in /sbin and /usr/sbin.

3. Handling Permissions with Sudo

   If the toggle Try inventory without sudo first is enabled then vScope will try to run every command without sudo first, with fallback to using sudo for commands which fail.

   If vScope encounters a “Permission denied” error when trying to run a command, it checks whether the current user can use sudo by running sudo -v.

   • If the sudo check is successful, vScope retries the command with elevated privileges using sudo {cmd}.
   • If the sudo check fails, vScope will skip sudo for all subsequent commands within that SSH session.

4. Reading Files
   When attempting to read files, vScope first verifies that the file exists on the target system using test -f {file}. Only if the file exists will vScope attempt to read it.

Supported Algorithms in the SSH Probe

The SSH probe in vScope uses the following encryption algorithms when connecting to Linux/Unix systems.

Ciphers

• aes{128,192,256}-{cbc,ctr}, blowfish-{cbc,ctr}, 3des-{cbc,ctr}, arcfour{128,256}, among others.
• Extended ciphers: camellia{128,192,256}-{cbc,ctr}, camellia{128,192,256}-{cbc,ctr}@openssh.org

Key Exchange

• Supported: diffie-hellman-group1-sha1, ecdh-sha2-nistp{256,384,521}, curve25519-sha256@libssh.org, and more.

Signatures

• ssh-rsa, ssh-dss, ecdsa-sha2-nistp{256,384,521}, ssh-ed25519

MAC

• hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512

Common errors

Machines are missing Domain

If some Linux machines in vScope are missing domain-related details (e.g., DNS search domains), it may be because the SSH credential used does not have permission to execute a required command.

To retrieve domain information, vScope runs the following command:has permission to execute the following command: cat /etc/resolv.conf

Please ensure the SSH credential has permission to read this file. This file typically contains DNS configuration such as domain, search, and nameserver entries.