I've been RTFMing SSH. For background authentication like nagios uses, the book I'm reading recommends using the user's ssh config file to limit using passwordless keys to just do one task each. So if you want nagios to be able to do 3 kinds of checks without a password, you put 3 keys in nagios .ssh/authorized_keys file with command="" stuff for each. Then no matter what nagios thinks it is asking for (parameter of check_by_ssh) it gets whatever is configured for that key.
I'm just wondering if anyone has taken this approach. It seems a bit complicated, spreading some of the nagios config info around to each monitored system, but it sort of appeals to me. Then you know that even if someone manages to get your key, all they can do is check_disk or something else boring. Am I missing something? In addition to limiting key authentication to doing specific tasks, I also put an '*' in the nagios user's password field in /etc/passwd, which prevents them from logging in by password. Thanks, Dave ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
