check_by_ssh question

Paul L. Allen pla at softflare.com
Fri Mar 26 03:47:48 CET 2004


Andreas Ericsson writes: 

> Questions about that?

OK, so somebody who can get shell as the nagios user on the monitoring
machine can bypass things and hijack the Nagios user on monitored
machines.  It is a vulnerability, but only if somebody can get shell
as nagios on the monitoring machine.  If nagios on the monitoring
machine has no password the only way somebody could get shell as nagios
is if they're already root.  In which case you probably have a lot
more to worry about than them being able to execute arbitrary commands
*as nagios* on the monitored machines.  Unless you've done something silly,
(like make a plugin setuid instead of using sudo or left your machine
wide open to unprivileged users) then there's not that much damage
somebody could do as nagios anyway.  The worst they can do is either
fake check results or trash your nagios installation.  Well, they could
grab /etc/passwd, but surely everyone is using shadow passwords these
days. 

> Hmm... I think I'll start working on ssh style encryption (dsa) for nrpe, 
> with public / private key handshake and so on. Seems a bit easier than all 
> this hassle.

The configuration for NRPE is, in my opinion, a pain in the anatomy.  Add
to that the lack of security other than tcpwrappers (which I can't make
use of because my boss insists on being able to monitor from his home
cable line which gets a new IP every so often) and it's even less
desirable. 

So I switched to check_by_ssh, which is workable.  Until you need to
start monitoring machines behind a firewall.  I couldn't get check_by_ssh
to send a command that ran check_by_ssh on the firewall to run a
command on the monitored machine.  Maybe it's possible with enough
quoting and escaping of quoting but I didn't find something that worked
and eventually gave up. 

So now I use NCSA for machines behind firewalls.  First big advantage is it
takes some of the load off the monitoring machine.  Second big advantage
is that the configs are almost identical on monitoring machine and on
firewall instead of being completely different.  Third big advantage
is that it's actually encrypted. 

The disadvantage of NCSA is that if you have many different firewalls
installed at clients sites and you're monitoring the clients' networks
then they all share the same password so theoretically a malicious
person at one client who could get root access on the firewall could
screw up other clients' results (anyone with a rescue disk or distribution
CD can gain root if they have physical access).  I can't think of a reason
why anyone would want to do this, but they could.  You can get around it
by running many copies of the NCSA daemon each with a different config
file, a different password and listening on a different port. 

But if you really felt an urge to start hacking around, I'd like to
see NCSA take an optional username and the daemon take a list of
username/password pairs.  Then each client could have a different username
and password and the only (slight, improbable) security hole in NCSA
would be plugged without having to run multiple daemons. 

-- 
Paul Allen
Softflare Support 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list