check_by_ssh problem.

David Olbersen DOlbersen at stbernard.com
Fri Nov 7 15:20:12 CET 2003

Previous message: check_by_ssh problem.
Next message: check_ping thresholds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Earl C. Ruby III wrote:

> I use check_by_ssh instead of NRPE, but I do it like this:
> 
> * Nagios runs under user "nagios" on admin machine.
> 
> * Target machine also has a "nagios" user.
> 
> * All check scripts for the target live in nagios at target:~/bin and are chmod
> 700 (owned by nagios user).
> 
> * Generate a dsa keypair for nagios user on admin host using ssh-keygen.
> 
> * Private key is in nagios at admin:~/.ssh/id_dsa
> 
> * Public key is in nagios at target:~/.ssh/authorized_keys2
> 
> * Verify that ssh works by "su - nagios" on admin, then "ssh nagios at target"
> where "target" is the EXACT host name in ~/etc/hosts.cfg. (If you use IP
> addresses, then "ssh nagios at target_ip_address".)
> 
> * The first time you ssh over with the new key and user, you'll get a "add to
> known_hosts" message. Say "yes". (If you skipped this step before, Nagios
> check_by_ssh won't work.)
> 
> * Once you've done all of that, you should be able to create commands in
> checkcommands.cfg like so:
> 
> define command{
>         command_name    check_sensors
>         command_line    $USER1$/check_by_ssh -t 15 -H nagios@$HOSTADDRESS$ -C
> '~/bin/check_sensors -w 20 -c 30'
> }

Further, if you're quite paranoid you can do some more:

* Create one pub/priv key pair for each command you want to run on the remote machine, then in authorized_keys2 limit the given key to only running the command specified. For example create a dsa-check-disk key and then limit it to running ~/bin/check_disk [ARGS] on the client machine. If you do that your check command will be a bit different (there are a few options to make it more sane).

* Make the authorized_keys2 limit connections to a specific IP/host for that key

I think adding either one of these increases the security of the setup by quite a bit.

-- 
David Olbersen
iGuard Engineer
St. Bernard Software
15015 Avenue of Sciences
San Diego, CA 92127
x2152


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: check_by_ssh problem.
Next message: check_ping thresholds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list