check_mysql

John P. Rouillard rouilj at cs.umb.edu
Fri Jan 6 00:41:19 CET 2006


In message <A7B0A9F02975A74A845FE85D0B95B8FA025BD5CD at misex01.ena.com>,
"Marc Powell" writes:
>check_by_ssh only allows for host-key based authentication methods, not
>password so one issue is already taken care of.

What I did was use ssh-agent to keep the decrypted password.  I had
hacked check_by_ssh (I no longer have access to the hacks) to allow
SSH_AUTH_SOCK to be passed through.

The init script for nagios started the ssh-agent, and was able to find
and reuse any running ssh-agent. So multiple nagios stops and starts
worked without re-entering the key. This way the public key file on
disk was able to be encrypted, but the daemon could use the public key.

They had 24x7 coverage and if the system crashed and restarted, it
would notify the on-call person to add the nagios keys to the agent. A
service was created that used ssh-add to verify the existence of the
key. If the key disappeared a normal nagios alert went out.

Worked quite well.

You could also make all check_by_ssh services depend on the key test
service and not alert if the key was missing to prevent flooding the on
duty operator with messages.

Since you can restrict the nagios key to allow access only from
certain host and it can force a command to run that prevents running
of arbitrary command we found it to be sufficiently secure.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list