Trying to understand check_by_ssh

Tedman Eng teng at dataway.com
Wed Mar 30 02:35:34 CEST 2005

Previous message: Trying to understand check_by_ssh
Next message: Check_DNS recursive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 2) Check_by_ssh 
> 
> Andreas will be along shortly to point out a security hole in 
> check_by_ssh
> IF somebody can compromise your monitoring host to the extent 
> that they
> can become the nagios user.  That hole allows somebody who can become
> nagios on your monitoring host to become nagios on your 
> monitored hosts
> and execute arbitrary commands as the nagios user.

On the remote hosts, I use a security wrapper that restricts the ssh'ed
commands.
In the event that Mother Nagios gets compromised, the ssh-based checks pose
no risk to the remote nodes.

First, we modify the authorized_keys on the remote end and add the
"command=..." to force a specific command to be executed whenever this key
is used to login.  In this case we execute our security wrapper script.

  --- restricted ssh key on remote host ---- 
    command="/home/nagios/ssh-wrapper" ssh-dss +yIDIwfYYyzx
    KKJKjxUGbVjqhYJuBLJDOY106IvRy82o3APtXWa3S7dOKQ9tozTSBlaZ
    S4y6uiw5CRYiuvYm7EWnOCoP8z/GfcepTokzWTnewlLXvbpgvX2RPZ10
    57ScZGCzt63gmbR3J9D4cjJLdQkDsW7thp
  ------------------------------------------


Then, we create the wrapper script which checks our incoming command and
tosses out everything else.
The pattern matched "^check_" can be made more or less restrictive to suit
your level of paranoia.

  --------- wrapper on remote host --------- 
    #!/bin/sh
    # ssh-wrapper.sh
    
    PREFIX=/usr/local/nagiosplugins/libexec/
    
    if echo $SSH_ORIGINAL_COMMAND|egrep "^check_" >/dev/null 2>&1; then
      $PREFIX/$SSH_ORIGINAL_COMMAND 2> /dev/null
    else
      echo "Permission denied."
      exit 1
    fi
  ------------------------------------------



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Trying to understand check_by_ssh
Next message: Check_DNS recursive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list