On 11/16/2007 01:06 PM, Dave wrote: > I've been RTFMing SSH. For background authentication like nagios uses, > the book I'm reading recommends using the user's ssh config file to > limit using passwordless keys to just do one task each. So if you want > nagios to be able to do 3 kinds of checks without a password, you put > 3 keys in nagios .ssh/authorized_keys file with command="" stuff for > each. Then no matter what nagios thinks it is asking for (parameter of > check_by_ssh) it gets whatever is configured for that key. > > I'm just wondering if anyone has taken this approach. It seems a bit > complicated, spreading some of the nagios config info around to each > monitored system, but it sort of appeals to me. Then you know that > even if someone manages to get your key, all they can do is check_disk > or something else boring.
I do something similar, though also add a 'from' restriction, in the event the private key is compromised - here are a few examples: For remote nagios instance monitoring: > from="host-01.full.domain",command="/usr/lib/nagios/plugins/check_nagios -F > /dev/shm/status.log -e 5 -C nagios" ssh-dss AAAA... > from="host-02.full.domain",command="/usr/lib/nagios/plugins/check_nagios -F > /dev/shm/status.log -e 5 -C nagios" ssh-dss AAAA... *dons protective aluminum foil headgear* In the the keys on _some_ systems, I also add: > no-port-forwarding > no-X11-forwarding > no-agent-forwarding I usually only allow a single command per host - on hosts which I want to execute multiple commands, rather than having a keypair-per-command, I make the command a script which sanitizes the input and checks the command against a list of predetermined allowed commands. Probably not as safe as keypairs-per-command because it's not as explicit, but more flexible/manageable in certain situations. > Am I missing something? In addition to limiting key authentication to > doing specific tasks, I also put an '*' in the nagios user's password > field in /etc/passwd, which prevents them from logging in by password. For the nagios user (and other system-ish accounts), setting the shell to /sbin/nologin should do the trick. -tt -- Tom Throckmorton OIT - CSI Duke University ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
