Closed ghost closed 6 months ago
aseemsavio
commented
1 year ago Alternatively, you can also use access and secret keys to login to Tenable.sc.
tsc = TenableSC("YOUR_HOST_HERE", access_key="YOUR_ACCESS_KEY_HERE",
secret_key="YOUR_SECRET_KEY_HERE")
ghost
commented
1 year ago @aseemsavio - Using API keys is just another method, that doesn't necessarily solve my problem. I still have to provide my certs. My goal however is to use certs only.
SteveMcGrath
commented
1 year ago https://pytenable.readthedocs.io/en/stable/api/sc/index.html
Which points to here for how to pass in the cert:
https://docs.python-requests.org/en/latest/user/advanced/#client-side-certificates
ghost
commented
1 year ago In a nutshell these are the only two ways that I can authenticate to said TSC. Notice both methods include passing a cert. Any other way, API keys, password or cert/adapter by itself, does not work:
#unencrypted key
tsc = TenableSC('host', access_key=access_key, secret_key=secret_key, cert=(cert.crt,private.key))
# encrypted key
adapter = Pkcs12Adapter( pkcs12_filename='certificate.p12', pkcs12_password='password!')
tsc = TenableSC('host', access_key=access_key, secret_key=secret_key, adapter=adapter)
According to Tenable.sc docs when SSLVerifyClient require in /opt/sc/support/conf/sslverify.conf (TenableSC), then "Tenable.sc requires a valid SSL certificate for user authentication". I suspect this to be the case. Have you all tested pyTenable in a scenario where your SC was configured this way?
SteveMcGrath
commented
1 year ago If using client certs, API Keys should not be needed. The client cert acts as you auth to the host.
ghost
commented
1 year ago Steve,
Thanks for your input. The problem is that the SC in question forces the client to offer a valid cert in order for the two to communicate. Then, regardless of auth method, API keys or user/pass, I still have to provide certs. I don't see that pytenable supports this scenario as it stands. Can you all confirm?
SteveMcGrath
commented
1 year ago so when you login with the SSL cert, and just the SSL cert, if you run tsc.current.user() your getting a 403?
I am using the latest pytenable to connect to a tenable.sc. The server has certificate authentication (association) enabled. Via a web browser I can login with my username and password, and I am able to use my cert/key for consequent logins. I am not able to do the same with pytenable. In order to successfully login via pytenable, I have use username and password as well as cert/key (via an adapter):
sc = TenableSC('', username="user",password="pass", adapter=adapter)
I thought I could use either or, not necessarily both. Can someone provide some insight as to why this happens? I have no insight into the SC server. It's managed by a third party. I am assuming they have SSL verification turned on at the server level. Any and all feedback would be appreciated.