event handlers on remote host

Tedman Eng teng at dataway.com
Wed Sep 22 20:47:02 CEST 2004


If you're doing passwordless ssh, you should definately restrict commands
available to be run passwordless to just the httpd restart command.

http://www.hackinglinuxexposed.com/articles/20030109.html



-----Original Message-----
From: Martinus Nel [mailto:martinus.nel at scarceskills.com]
Sent: Wednesday, September 22, 2004 8:43 AM
To: Jorge Reyes
Cc: senthil; Demetri Mouratis; nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] event handlers on remote host


Jorge,

Using an empty pass phrase is not a good idea.  Here is a link to a better
method:
http://www.gentoo.org/proj/en/keychain/index.xml


Jorge Reyes wrote:
> 
>       Basic Idea
> 
> No-password authentication works because of public key crypto. Let's say 
> you have a local machine Ooga and a remote machine Booga. You want to be 
> able to ssh from Ooga to Booga without having to enter your password. 
> First you generate a public/private RSA key pair on Ooga. Then you send 
> your public key to Booga, so that Booga knows that Ooga's key belongs to 
> a list of authorized keys. Then when you try to ssh from Ooga to Booga, 
> RSA authentication is performed automagically.
> 
> Here are detailed steps on how to do this.
> 
> *NOTE:* The following examples and scenarios assume you are creating 
> only a single key, e.g. one RSA key or one DSA key. If it turns out that 
> you've created both keys on your (client) system, then you will need to 
> send *both* of them to the SSH/SSH2 server; otherwise, you may still be 
> asked to enter a passphrase. Thanks to Steve McCarthy for pointing this 
> out.
> 
> ------------------------------------------------------------------------
> 
> 
>       ssh1
> 
> If you're using ssh1, then do this:
> 
> ooga% ssh-keygen -f ~/.ssh/identity
> 
> This will generate a public/private rsa1 key pair. When it asks you to 
> enter your passphrase, just hit return (i.e. leave it empty). Now you 
> need to send your public key to the remote server.
> 
>   ooga% cd .ssh
>   ooga% scp identity.pub user at booga:~/.ssh
> 
> Now you need to log into Booga and add Ooga's public key to Booga's list 
> of authorized keys.
> 
>   ooga% ssh user at booga
> 
>   booga% cd .ssh
>   booga% cat identity.pub >> authorized_keys
>   booga% chmod 640 authorized_keys
>   booga% rm -f identity.pub
> 
> That's it! You can now ssh from Ooga to Booga without entering your 
> password.
> 
> ------------------------------------------------------------------------
> 
> 
>       ssh2
> 
> It's harder for ssh2. There are two common implementations of ssh2: 
> OpenSSH and SSH2. Let's say we want to ssh from Ooga to Booga. If Ooga 
> and Booga both run the same implementation then it's easy. Otherwise, we 
> need to do some extra work to make them talk to each other properly.
> 
> My particular situation is that my local machine is running Windows 2000 
> with the Cygwin tools and OpenSSH 3.2.x. The remote machines may either 
> have OpenSSH or SSH2. I'll cover these two cases below.
> 
> ------------------------------------------------------------------------
> 
> 
>       ssh2: Ooga = OpenSSH, Booga = OpenSSH
> 
> First, generate a public/private DSA key pair on Ooga.
> 
>   ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa
> 
> When you are asked for a passphrase, leave it empty. Now send the public 
> key to Booga.
> 
>   ooga% cd .ssh
>   ooga% scp id_dsa.pub user at booga:~/.ssh
> 
> Next, log in to Booga and add the public key to the list of authorized 
> keys.
> 
>   ooga% ssh user at booga
> 
>   booga% cd .ssh
>   booga% cat id_dsa.pub >> authorized_keys2
>   booga% chmod 640 authorized_keys2
>   booga% rm -f id_dsa.pub
> 
> Note that the filename is authorized_keys2, not authorized_keys. That's 
> it; you're ready to ssh from Ooga to Booga without having to enter a 
> password.
> 
> ------------------------------------------------------------------------
> 
> 
>       ssh2: Ooga = OpenSSH, Booga = SSH2
> 
> First, generate a public/private DSA key pair on Ooga.
> 
>   ooga% ssh-keygen -t dsa -f ~/.ssh/id_dsa
> 
> When you are asked for a passphrase, leave it empty. This key is stored 
> in a format that OpenSSH can use, but SSH2 cannot. You need to export 
> the key to a format that SSH2 understands.
> 
>   ooga% ssh-keygen -e -f .ssh/id_dsa.pub > id_dsa_ssh2_ooga.pub
> 
> Note: the exact flags you need to specify may differ in your case. Check 
> the man pages if the line above doesn't work. Now send the exported 
> public key to Booga.
> 
>   ooga% scp id_dsa_ssh2_ooga.pub user at booga:~/.ssh2/
> 
> Note: the target directory is .ssh2, not .ssh. Next, log in to Booga and 
> add the public key to the list of authorized keys.
> 
>   ooga% ssh user at booga
> 
>   booga% cd .ssh2
>   booga% cat >> authorization
>   key id_dsa_ssh2_ooga.pub
> 
>   <EOF>
>   booga% chmod 640 authorization
> 
> For SSH2, there is an authorization file in which you list the file 
> names of the authorized public keys. Note that this step is different 
> than the case in which Booga is running OpenSSH. Now you are ready to 
> ssh from Ooga to Booga without having to enter a password.
> 
>  
> 
>  
> 
>  
> 
>     -----Original Message-----
>     *From:* nagios-users-admin at lists.sourceforge.net
>     [mailto:nagios-users-admin at lists.sourceforge.net]*On Behalf Of
*senthil
>     *Sent:* Wednesday, September 22, 2004 5:28 AM
>     *To:* Demetri Mouratis
>     *Cc:* nagios-users at lists.sourceforge.net
>     *Subject:* Re: [Nagios-users] event handlers on remote host
> 
>     And one more help is it possible for some1 to help me
>     with the process to setup non-interactive login in SSH ??
> 
>     regards,
>     Senthil
> 
>     Demetri Mouratis wrote:
> 
>>On Wed, 22 Sep 2004, senthil wrote:
>>
>>  
>>
>>>Hi,
>>> I am currently working on using Nagios to monitor a remote host.
>>>Made use of the NRPE plugins to montior the different services on a
>>>remote host.
>>>I tried event handlers and it works fine in the localhost.But if I want
>>>to employ event handlers on a remote machine say to start a HTTP server
>>>when the service moves on to hard state ? what can i do??
>>>    
>>
>>
>>Setup SSH to allow for non-interactive login to the remote machine and
>>restart the http daemon.
>>
>>You'll probably want to configure a way for the nagios user to restart
>>httpd.  Sudoers would help there.  Otherwise, you'll end up having to SSH
>>as root to restart it.
>>
>>Hope that helps.
>>---------------------------------------------------------------------
>>Demetri Mouratis
>>dmourati at linfactory.com
>>
>>
>>  
> 
> 

-- 
Martinus Nel
System Administrator
Scarce Skills Ltd.
http://www.scarceskills.com
Tel: +44 (0) 1633 225461

---------------------------------------------------------------------------
DISCLAIMER
This e-mail message and any attachments are confidential and may also be a
privileged communication. It is intended solely for the person(s) to whom it
is addressed. If you are not the intended addressee of the message you must
take no action based on it. Please reply to this message to let us know you
received it in error and also delete the message from your system.
Internet e-mails are not necessarily secure and you should be mindful of
this when e-mailing us.

The contents of an attachment to this e-mail may contain software viruses
which could damage your own computer system. Whilst we have taken every
reasonable precaution to minimise this risk, we cannot accept liability for
any damage which you sustain as a result of software viruses. You should
carry out your own virus checks before opening the attachment.
---------------------------------------------------------------------------



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue. 
::: Messages without supporting info will risk being sent to /dev/null


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list