putting limits on check_by_ssh

[Dave]

I've been RTFMing SSH. For background authentication like nagios uses,
the book I'm reading recommends using the user's ssh config file to
limit using passwordless keys to just do one task each. So if you want
nagios to be able to do 3 kinds of checks without a password, you put
3 keys in nagios .ssh/authorized_keys file with command="" stuff for
each. Then no matter what nagios thinks it is asking for (parameter of
check_by_ssh) it gets whatever is configured for that key.

I'm just wondering if anyone has taken this approach. It seems a bit
complicated, spreading some of the nagios config info around to each
monitored system, but it sort of appeals to me. Then you know that
even if someone manages to get your key, all they can do is check_disk
or something else boring.

Am I missing something? In addition to limiting key authentication to
doing specific tasks, I also put an '*' in the nagios user's password
field in /etc/passwd, which prevents them from logging in by password.
Thanks,
Dave

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null