SCAP Workbench compiled without remote scanning support about scap-workbench HOT 13 CLOSED

Hi,
this is expected behavior right now unfortunately. I can make remote scan work using ssh from cygwin but the experience is too horrible to be in a release. It repeatedly asks for credentials for every task it needs to do. On Linux and OSX it authenticates once and then shares it through a control file. This is not possible on Windows right now. At least not with the cygwin openssh.

It all ties to this bug https://bugzilla.mindrot.org/show_bug.cgi?id=1278#c7

The experience is decent if you can setup cygwin openssh with a password-less private key. Doing that on Windows is not trivial. In the future I hope to implement remote scan using putty. It requires a completely new remote scan code just for Windows but it should provide a decent usability.

If you know about an openssh port for Windows that supports -o ControlMaster I want to know about it :-)

I will keep this bug open to track Windows remote scan support progress.

from scap-workbench.

Does this hold any possibility of working?
http://www.dereckson.be/blog/2013/08/31/use-ssh-agent-on-windows/

from scap-workbench.

That might work for keys.

However, I think users will overwhelmingly want to use password auth. Especially on Windows where SSH keys are very rare. As the first step I want to get password auth working, then I will worry about ssh key auth.

We could really use somebody from openssh or cygwin or both here.

from scap-workbench.

For what it's worth, I'm willing to help test/document this aspect of the tool (that is, using Workbench from Windows to remote scan Linux servers.) If I can assist, point me in a direction.

from scap-workbench.

Unfortunately we can't move forward with this ticket without patching either OpenSSH or Cygwin. Emailed Corinna Vinschen from the Cygwin project and it seems patching OpenSSH is the easier route. The Cygwin issue regarding passing descriptors via AF_LOCAL/AF_UNIX sockets is fairly old and hard to solve.

As I don't know the OpenSSH codebase, any help is appreciated.

from scap-workbench.

While this is only an announcement of an intent, if they hold to their word, it may provide another avenue to explore: http://blogs.msdn.com/b/looking_forward_microsoft__support_for_secure_shell_ssh1/archive/2015/06/02/managing-looking-forward-microsoft-support-for-secure-shell-ssh.aspx

from scap-workbench.

@Jakuje patched ssh to work on Windows.

See https://github.com/Jakuje/stuff/blob/master/openssh_without_fdpass.patch

I am looking into the patch, so far it looks very promising.

from scap-workbench.

@jeffstoner I have good news :-) Thanks to the work of @Jakuje we now have a testing release for Windows that can do remote scan! Check out http://martin.preisler.me/2015/03/scap-workbench-1-1-0/ and http://martin.preisler.me/wp-content/uploads/2015/03/scap-workbench-1.1.0-win32-remote-scan-testing.zip

From my testing I can scan Fedora and RHEL6 remotely from a Windows7 box. Can you confirm that it works for you? Keep in mind that the askpass dialog is not polished and kind of strange, when it asks about host confirmation you have to type yes into the askpass dialog. This will be improved for the final release.

from scap-workbench.

Sweeeeeeeeeeeeeeeet!
Downloaded, installed and executed on Win7Pro (against a server that didn't have openscap installed but it did connect.)

I'll start running some tests and update this ticket with results.

Thanks again!

from scap-workbench.

Hi @jeffstoner

Any news?

from scap-workbench.

Hi @jeffstoner
I have heard about some minor issues but it looks like this is worthy of inclusion in the end. Do you have any feedback?

I want to solve a few remaining issues and then release 1.1.1 with the remote scan support on Windows.

from scap-workbench.

Sorry. I was under the gun to meet a deadline for my project. I was anticipating using this when I build the servers but that's waiting on an executive decision (go figure.) Let me dig up some older (non-production) servers that I can munge.

from scap-workbench.

This has been fixed.

from scap-workbench.