putting limits on check_by_ssh

[Dave]

Thanks to the two Toms for their helpful responses.

On Nov 16, 2007 8:26 AM, Thomas Guyot-Sionnest <dermoth at aei.ca> wrote:
> While I use command-restricted keys for
> all passwordless auth (usually cronjobs), this is the reason why I never
> looked into check_by_ssh and use NRPE instead.

NRPE makes me a bit nervous because I suppose (without any data to
back it up) that relatively few people use it (at least compared to
ssh). What criteria did you use in making the evaluation of
check_by_ssh vs. NRPE? SSH is tempting because I don't have to install
and configure much new stuff or learn much new stuff, or at least what
I learn has broad applications. And though the configuration may be a
bit long-winded, it seems pretty clear. And I *think* I can nail it
down pretty well, so that even if my private keys on the nagios server
got compormised, nothing much bad could happen to the other hosts.


> You can also set the shell to /bin/false and set a non
> existent home directory (ex. "/nonexistent").

Doesn't the nagios user need a shell and a home dir to run the daemon?
Maybe I was just thinking that it needed a home dir to put the ssh
keys in, but they can be located anywhere. Slowly understanding
blooms.

On Nov 16, 2007 8:51 AM, Tom Throckmorton <throck at duke.edu> wrote:
> I do something similar, though also add a 'from' restriction, in the
> event the private key is compromised - here are a few examples:

Thanks for examples and suggestions, they help.

>
> I usually only allow a single command per host - on hosts which I want
> to execute multiple commands, rather than having a keypair-per-command,
> I make the command a script which sanitizes the input and checks the
> command against a list of predetermined allowed commands.

Interesting. I hadn't gotten to the details of the forced commands
part of the ssh book yet, so I didn't know about
$SSH_ORIGINAL_COMMAND. Hmmm.... Flexible, complicated. A bit harder to
be sure I haven't left any cracks.

Stuff to think about.
Dave

Dave

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null