putting limits on check_by_ssh

[Tom Throckmorton]

On 11/16/2007 01:06 PM, Dave wrote:
> I've been RTFMing SSH. For background authentication like nagios uses,
> the book I'm reading recommends using the user's ssh config file to
> limit using passwordless keys to just do one task each. So if you want
> nagios to be able to do 3 kinds of checks without a password, you put
> 3 keys in nagios .ssh/authorized_keys file with command="" stuff for
> each. Then no matter what nagios thinks it is asking for (parameter of
> check_by_ssh) it gets whatever is configured for that key.
> 
> I'm just wondering if anyone has taken this approach. It seems a bit
> complicated, spreading some of the nagios config info around to each
> monitored system, but it sort of appeals to me. Then you know that
> even if someone manages to get your key, all they can do is check_disk
> or something else boring.

I do something similar, though also add a 'from' restriction, in the 
event the private key is compromised - here are a few examples:

For remote nagios instance monitoring:

> from="host-01.full.domain",command="/usr/lib/nagios/plugins/check_nagios -F /dev/shm/status.log -e 5 -C nagios" ssh-dss AAAA...
> from="host-02.full.domain",command="/usr/lib/nagios/plugins/check_nagios -F /dev/shm/status.log -e 5 -C nagios" ssh-dss AAAA...

*dons protective aluminum foil headgear*

In the the keys on _some_ systems, I also add:

>  no-port-forwarding
>  no-X11-forwarding
>  no-agent-forwarding

I usually only allow a single command per host - on hosts which I want 
to execute multiple commands, rather than having a keypair-per-command, 
I make the command a script which sanitizes the input and checks the 
command against a list of predetermined allowed commands.  Probably not 
as safe as keypairs-per-command because it's not as explicit, but more 
flexible/manageable in certain situations.

> Am I missing something? In addition to limiting key authentication to
> doing specific tasks, I also put an '*' in the nagios user's password
> field in /etc/passwd, which prevents them from logging in by password.

For the nagios user (and other system-ish accounts), setting the shell 
to /sbin/nologin should do the trick.

-tt

-- 
Tom Throckmorton
OIT - CSI
Duke University

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null