check_by_ssh

David Olbersen DOlbersen at stbernard.com
Tue Jan 20 20:45:26 CET 2004


Paul L. Allen wrote:

> I came to the same conclusion.  The only way somebody will get the
> private key is by compromising the monitoring box and if they can get
> one private key they can get all of them.

Agreed.

> > and nagios' SSH key is restricted by source IP.
> 
> Ummm, the key is?  Or do you mean you're using hosts.allow to block
> connections from other IPs.  I just copied the nagios key from our
> monitoring box to my home machine and used the key to login as nagios
> to one of the boxes we monitor, so IP is not built into the key.

Nope, it's built in to authorized_keys2 on the machine being checked. One of the cool things you can do with authorized_keys2 is say "only connections from this IP are allowed to use this key". You do that like this:

from="<ip/domain/whatever>" <rest of key>

There are other options you can use, here's a snippet from mine:

from="192.168.5.11",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1kc3MAAACBA... rest of public key

This means that only 192.168.5.11 can use the private key corresponding to the public key that follows. If the incoming connection is from 192.168.5.11, has the correct private key, but has port-forwarding, X11-forwarding, or agent-forwarding enabled it'll be dropped.  I have these turned off because Nagios will never use them. Handy, 'eh?

-- 
David Olbersen
iGuard Engineer
St. Bernard Software
15015 Avenue of Sciences
San Diego, CA 92127
x2152


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list