Thanks to the two Toms for their helpful responses. On Nov 16, 2007 8:26 AM, Thomas Guyot-Sionnest <[EMAIL PROTECTED]> wrote: > While I use command-restricted keys for > all passwordless auth (usually cronjobs), this is the reason why I never > looked into check_by_ssh and use NRPE instead.
NRPE makes me a bit nervous because I suppose (without any data to back it up) that relatively few people use it (at least compared to ssh). What criteria did you use in making the evaluation of check_by_ssh vs. NRPE? SSH is tempting because I don't have to install and configure much new stuff or learn much new stuff, or at least what I learn has broad applications. And though the configuration may be a bit long-winded, it seems pretty clear. And I *think* I can nail it down pretty well, so that even if my private keys on the nagios server got compormised, nothing much bad could happen to the other hosts. > You can also set the shell to /bin/false and set a non > existent home directory (ex. "/nonexistent"). Doesn't the nagios user need a shell and a home dir to run the daemon? Maybe I was just thinking that it needed a home dir to put the ssh keys in, but they can be located anywhere. Slowly understanding blooms. On Nov 16, 2007 8:51 AM, Tom Throckmorton <[EMAIL PROTECTED]> wrote: > I do something similar, though also add a 'from' restriction, in the > event the private key is compromised - here are a few examples: Thanks for examples and suggestions, they help. > > I usually only allow a single command per host - on hosts which I want > to execute multiple commands, rather than having a keypair-per-command, > I make the command a script which sanitizes the input and checks the > command against a list of predetermined allowed commands. Interesting. I hadn't gotten to the details of the forced commands part of the ssh book yet, so I didn't know about $SSH_ORIGINAL_COMMAND. Hmmm.... Flexible, complicated. A bit harder to be sure I haven't left any cracks. Stuff to think about. Dave Dave ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
