check_by_ssh

Paul L. Allen pla at softflare.com
Tue Jan 20 20:36:42 CET 2004

Previous message: check_by_ssh
Next message: check_by_ssh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Olbersen writes: 

> -i is not required if you stick to standard key file names. I swear. 
> I have it working right now, sans -i :)

Ah, OK.  Of course, I didn't use the standard key file names.  I had
a reason at the time.  Really. 

> You only need -i if you're going to have one key file per check.

Or if you wanted to try chaining check_by_ssh calls to traverse firewalls
and wanted to ensure that a different key was used on the internal
network (because the firewall itself would need the private key and you
don't want client A to have any chance of poking around on client B).
However I couldn't get that to work, so I could probably revert to
standard filenames. 

> I considered that but decided it was too much work.

I came to the same conclusion.  The only way somebody will get the
private key is by compromising the monitoring box and if they can get
one private key they can get all of them. 

> and nagios' SSH key is restricted by source IP.

Ummm, the key is?  Or do you mean you're using hosts.allow to block
connections from other IPs.  I just copied the nagios key from our
monitoring box to my home machine and used the key to login as nagios
to one of the boxes we monitor, so IP is not built into the key. 

> Note: You should probably SSH to the machine by IP when trying to add
> the host key to the list of known hosts -- that's how Nagios does it by 
> default. At least, that's how my installation does it.

You should use however you refer to the machine in the service check.
IP addresses speed things up, but bite you if they ever change (customers
switch internet connectivity providers sometimes) and you forget to
update nagios as well as the relevant DNS zone file and in the
network config of the remote machine and any other places it's hard-wired.
If your monitoring box runs its own DNS server the hit from using a
domain name is going to be very minimal because it will be cached for
the TTL and instantly available thereafter. 

And remember to set StrictHostKeyChecking to no if the machine you're
monitoring has dynamic IP (for which you need dynamic DNS and some way
of getting changes of IP address to your DNS server). 

-- 
Paul Allen
Softflare Support 

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: check_by_ssh
Next message: check_by_ssh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list