<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>
<META content="MSHTML 6.00.2800.1458" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV><FONT face=Arial color=#0000ff size=2>
<H3>Basic Idea</H3>No-password authentication works because of public key
crypto. Let's say you have a local machine Ooga and a remote machine Booga. You
want to be able to ssh from Ooga to Booga without having to enter your password.
First you generate a public/private RSA key pair on Ooga. Then you send your
public key to Booga, so that Booga knows that Ooga's key belongs to a list of
authorized keys. Then when you try to ssh from Ooga to Booga, RSA authentication
is performed automagically.
<P>Here are detailed steps on how to do this.
<P><B>NOTE:</B> The following examples and scenarios assume you are creating
only a single key, e.g. one RSA key or one DSA key. If it turns out that you've
created both keys on your (client) system, then you will need to send
<B>both</B> of them to the SSH/SSH2 server; otherwise, you may still be asked to
enter a passphrase. Thanks to Steve McCarthy for pointing this out.
<P>
<HR SIZE=1>
<P>
<H3>ssh1</H3>If you're using ssh1, then do this:
<P><TT>ooga% ssh-keygen -f ~/.ssh/identity </TT>
<P>This will generate a public/private rsa1 key pair. When it asks you to enter
your passphrase, just hit return (i.e. leave it empty). Now you need to send
your public key to the remote server.
<P><TT> ooga% cd .ssh <BR> ooga% scp identity.pub user@booga:~/.ssh
</TT>
<P>Now you need to log into Booga and add Ooga's public key to Booga's list of
authorized keys.
<P><TT> ooga% ssh user@booga
<P> booga% cd .ssh <BR> booga% cat identity.pub >>
authorized_keys <BR> booga% chmod 640 authorized_keys <BR> booga% rm
-f identity.pub </TT>
<P>That's it! You can now ssh from Ooga to Booga without entering your password.
<P>
<HR SIZE=1>
<P>
<H3>ssh2</H3>It's harder for ssh2. There are two common implementations of ssh2:
OpenSSH and SSH2. Let's say we want to ssh from Ooga to Booga. If Ooga and Booga
both run the same implementation then it's easy. Otherwise, we need to do some
extra work to make them talk to each other properly.
<P>My particular situation is that my local machine is running Windows 2000 with
the Cygwin tools and OpenSSH 3.2.x. The remote machines may either have OpenSSH
or SSH2. I'll cover these two cases below.
<P>
<HR SIZE=1>
<H3>ssh2: Ooga = OpenSSH, Booga = OpenSSH</H3>First, generate a public/private
DSA key pair on Ooga.
<P><TT> ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa </TT>
<P>When you are asked for a passphrase, leave it empty. Now send the public key
to Booga.
<P><TT> ooga% cd .ssh <BR> ooga% scp id_dsa.pub user@booga:~/.ssh
</TT>
<P>Next, log in to Booga and add the public key to the list of authorized keys.
<P><TT> ooga% ssh user@booga
<P> booga% cd .ssh <BR> booga% cat id_dsa.pub >>
authorized_keys2 <BR> booga% chmod 640 authorized_keys2 <BR> booga%
rm -f id_dsa.pub </TT>
<P>Note that the filename is <TT>authorized_keys2</TT>, not
<TT>authorized_keys</TT>. That's it; you're ready to ssh from Ooga to Booga
without having to enter a password.
<P>
<HR SIZE=1>
<H3>ssh2: Ooga = OpenSSH, Booga = SSH2</H3>
<P>First, generate a public/private DSA key pair on Ooga.
<P><TT> ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa </TT>
<P>When you are asked for a passphrase, leave it empty. This key is stored in a
format that OpenSSH can use, but SSH2 cannot. You need to export the key to a
format that SSH2 understands.
<P><TT> ooga% ssh-keygen -e -f .ssh/id_dsa.pub > id_dsa_ssh2_ooga.pub
</TT>
<P>Note: the exact flags you need to specify may differ in your case. Check the
man pages if the line above doesn't work. Now send the exported public key to
Booga.
<P><TT> ooga% scp id_dsa_ssh2_ooga.pub user@booga:~/.ssh2/ </TT>
<P>Note: the target directory is <TT>.ssh2</TT>, not <TT>.ssh</TT>. Next, log in
to Booga and add the public key to the list of authorized keys.
<P><TT> ooga% ssh user@booga
<P> booga% cd .ssh2 <BR> booga% cat >> authorization
<BR> key id_dsa_ssh2_ooga.pub <BR><BR> <EOF> <BR> booga%
chmod 640 authorization<BR></TT>
<P>For SSH2, there is an authorization file in which you list the file names of
the authorized public keys. Note that this step is different than the case in
which Booga is running OpenSSH. Now you are ready to ssh from Ooga to Booga
without having to enter a password. </P>
<P> </P>
<P> </P>
<P> </P></FONT></DIV>
<BLOCKQUOTE>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B>
nagios-users-admin@lists.sourceforge.net
[mailto:nagios-users-admin@lists.sourceforge.net]<B>On Behalf Of
</B>senthil<BR><B>Sent:</B> Wednesday, September 22, 2004 5:28
AM<BR><B>To:</B> Demetri Mouratis<BR><B>Cc:</B>
nagios-users@lists.sourceforge.net<BR><B>Subject:</B> Re: [Nagios-users] event
handlers on remote host<BR><BR></FONT></DIV>And one more help is it possible
for some1 to help me <BR>with the process to setup non-interactive login in
SSH ??<BR><BR>regards,<BR>Senthil<BR><BR>Demetri Mouratis wrote:<BR>
<BLOCKQUOTE
cite=midPine.LNX.4.44.0409220157150.17163-100000@zaphod.math.uiuc.edu
type="cite"><PRE wrap="">On Wed, 22 Sep 2004, senthil wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Hi,
I am currently working on using Nagios to monitor a remote host.
Made use of the NRPE plugins to montior the different services on a
remote host.
I tried event handlers and it works fine in the localhost.But if I want
to employ event handlers on a remote machine say to start a HTTP server
when the service moves on to hard state ? what can i do??
</PRE></BLOCKQUOTE><PRE wrap=""><!---->
Setup SSH to allow for non-interactive login to the remote machine and
restart the http daemon.
You'll probably want to configure a way for the nagios user to restart
httpd. Sudoers would help there. Otherwise, you'll end up having to SSH
as root to restart it.
Hope that helps.
---------------------------------------------------------------------
Demetri Mouratis
dmourati at linfactory.com
</PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML>