Trying to understand check_by_ssh
Tedman Eng
teng at dataway.com
Wed Mar 30 02:35:34 CEST 2005
> 2) Check_by_ssh
>
> Andreas will be along shortly to point out a security hole in
> check_by_ssh
> IF somebody can compromise your monitoring host to the extent
> that they
> can become the nagios user. That hole allows somebody who can become
> nagios on your monitoring host to become nagios on your
> monitored hosts
> and execute arbitrary commands as the nagios user.
On the remote hosts, I use a security wrapper that restricts the ssh'ed
commands.
In the event that Mother Nagios gets compromised, the ssh-based checks pose
no risk to the remote nodes.
First, we modify the authorized_keys on the remote end and add the
"command=..." to force a specific command to be executed whenever this key
is used to login. In this case we execute our security wrapper script.
--- restricted ssh key on remote host ----
command="/home/nagios/ssh-wrapper" ssh-dss +yIDIwfYYyzx
KKJKjxUGbVjqhYJuBLJDOY106IvRy82o3APtXWa3S7dOKQ9tozTSBlaZ
S4y6uiw5CRYiuvYm7EWnOCoP8z/GfcepTokzWTnewlLXvbpgvX2RPZ10
57ScZGCzt63gmbR3J9D4cjJLdQkDsW7thp
------------------------------------------
Then, we create the wrapper script which checks our incoming command and
tosses out everything else.
The pattern matched "^check_" can be made more or less restrictive to suit
your level of paranoia.
--------- wrapper on remote host ---------
#!/bin/sh
# ssh-wrapper.sh
PREFIX=/usr/local/nagiosplugins/libexec/
if echo $SSH_ORIGINAL_COMMAND|egrep "^check_" >/dev/null 2>&1; then
$PREFIX/$SSH_ORIGINAL_COMMAND 2> /dev/null
else
echo "Permission denied."
exit 1
fi
------------------------------------------
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list