Hi there. I now have a third slave about to be deployed but this time the security team really are putting their foot down.
For reasons I can't go into we have to have reverse SSH tunnels requiring connectivity from slave to master which initiates the reverse tunnel. They are stating there is absolutely no way a slave can get a shell on the master so we have a simple fix - set the shell on the master to /bin/cat This works just fine. The slave can initiate the tunnel and opsview chunders along just fine. A reload on the master works perfectly. The trouble is then on the master side. Because the nagios user effectively no longer has a shell you cannot restart opsview or do anything else that requires being the nagios user. So my question is... Can there be a second user on the master for the tunnel as opposed to the nagios user ? For example... nagios user on slave --> SSH --> nagios2 user on master This second user could have a restricted shell and we could keep a regular shell for the nagios user. Everyone's happy. I'm assuming if this can be done that the Opsview application would need to be aware of the second user and that the tunnel established by that user could be communicated over. Is this a possibility ? I'd argue if this could work then it would make the whole distributed application considerably more secure so worth considering. Thoughts ? _______________________________________________ Opsview-users mailing list [email protected] http://lists.opsview.org/listinfo/opsview-users
