putting limits on check_by_ssh

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/11/07 01:06 PM, Dave wrote:
> I've been RTFMing SSH. For background authentication like nagios uses,
> the book I'm reading recommends using the user's ssh config file to
> limit using passwordless keys to just do one task each. So if you want
> nagios to be able to do 3 kinds of checks without a password, you put
> 3 keys in nagios .ssh/authorized_keys file with command="" stuff for
> each. Then no matter what nagios thinks it is asking for (parameter of
> check_by_ssh) it gets whatever is configured for that key.
> 
> I'm just wondering if anyone has taken this approach. It seems a bit
> complicated, spreading some of the nagios config info around to each
> monitored system, but it sort of appeals to me. Then you know that
> even if someone manages to get your key, all they can do is check_disk
> or something else boring.

This is indeed good practice. While I use command-restricted keys for
all passwordless auth (usually cronjobs), this is the reason why I never
looked into check_by_ssh and use NRPE instead.

Having unrestricted passwordless auth from your monitoring system makes
all your server fully and easily vulnerable if your monitoring server
gets compromised.

> Am I missing something? In addition to limiting key authentication to
> doing specific tasks, I also put an '*' in the nagios user's password
> field in /etc/passwd, which prevents them from logging in by password.
> Thanks,
> Dave

Humm, isn't that a shadow-less way of locking a user? I'm not totally
sure about your method, but I do it with "passwd -l username" to lock
and "passwd -u username" to unlock a user. At least on my systems it
adds/removes a "!" in the password field of /etc/shadow (passwd stays
unchanged). You can also set the shell to /bin/false and set a non
existent home directory (ex. "/nonexistent").


Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPeDp6dZ+Kt5BchYRAo0hAJsEz141HKUFG60E7fqozMvP7Xg89ACg+VHY
U+dRI7XTPq6HaCOJ7OysPmA=
=Utoc
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null