-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/11/07 04:09 PM, Dave wrote: > Thanks to the two Toms for their helpful responses. > > On Nov 16, 2007 8:26 AM, Thomas Guyot-Sionnest <[EMAIL PROTECTED]> wrote: >> While I use command-restricted keys for >> all passwordless auth (usually cronjobs), this is the reason why I never >> looked into check_by_ssh and use NRPE instead. > > NRPE makes me a bit nervous because I suppose (without any data to > back it up) that relatively few people use it (at least compared to
While many people use ssh to run passwordless remote commands, I believe in the Nagios world there is more people using NRPE than check_by_ssh, though I may be wrong... NRPE should be quite secure if you don't enable argument passing and use a strong enough password. > ssh). What criteria did you use in making the evaluation of > check_by_ssh vs. NRPE? SSH is tempting because I don't have to install > and configure much new stuff or learn much new stuff, or at least what > I learn has broad applications. And though the configuration may be a > bit long-winded, it seems pretty clear. And I *think* I can nail it > down pretty well, so that even if my private keys on the nagios server > got compormised, nothing much bad could happen to the other hosts. Even with ssh you still have to distribute the check plugins and set up the remote keys. Also all your keys will have to be in the authorized_keys which can be harder to manage. With NRPE you can define a config directory where you can put various config files depending on the server role. For example I have one for all Linux server, then one for web servers, one for DB, etc. When I want to modify/add something for all server (or a group of servers) I just have to copy the appropriate configs and plugins and SIGHUP nrpe to get the new config active. >> You can also set the shell to /bin/false and set a non >> existent home directory (ex. "/nonexistent"). > > Doesn't the nagios user need a shell and a home dir to run the daemon? > Maybe I was just thinking that it needed a home dir to put the ssh > keys in, but they can be located anywhere. Slowly understanding > blooms. Well, check_by_ssh will need a homedir, unless you want to apply the keys system_wide (bad idea IMO), For the shell I'm not sure, it depends if ssh pass the command to a shell (which would allow pipes and stuff) of just run it directly. Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPiuE6dZ+Kt5BchYRAr7bAJsEQvOJDMpMsEGRwhIfzFZ6e2IapACg+f7x ZQ5dqfG80VXsMAKKzy3NlOI= =SjQu -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null