-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/11/07 01:06 PM, Dave wrote: > I've been RTFMing SSH. For background authentication like nagios uses, > the book I'm reading recommends using the user's ssh config file to > limit using passwordless keys to just do one task each. So if you want > nagios to be able to do 3 kinds of checks without a password, you put > 3 keys in nagios .ssh/authorized_keys file with command="" stuff for > each. Then no matter what nagios thinks it is asking for (parameter of > check_by_ssh) it gets whatever is configured for that key. > > I'm just wondering if anyone has taken this approach. It seems a bit > complicated, spreading some of the nagios config info around to each > monitored system, but it sort of appeals to me. Then you know that > even if someone manages to get your key, all they can do is check_disk > or something else boring.
This is indeed good practice. While I use command-restricted keys for all passwordless auth (usually cronjobs), this is the reason why I never looked into check_by_ssh and use NRPE instead. Having unrestricted passwordless auth from your monitoring system makes all your server fully and easily vulnerable if your monitoring server gets compromised. > Am I missing something? In addition to limiting key authentication to > doing specific tasks, I also put an '*' in the nagios user's password > field in /etc/passwd, which prevents them from logging in by password. > Thanks, > Dave Humm, isn't that a shadow-less way of locking a user? I'm not totally sure about your method, but I do it with "passwd -l username" to lock and "passwd -u username" to unlock a user. At least on my systems it adds/removes a "!" in the password field of /etc/shadow (passwd stays unchanged). You can also set the shell to /bin/false and set a non existent home directory (ex. "/nonexistent"). Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPeDp6dZ+Kt5BchYRAo0hAJsEz141HKUFG60E7fqozMvP7Xg89ACg+VHY U+dRI7XTPq6HaCOJ7OysPmA= =Utoc -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
