putting limits on check_by_ssh

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/11/07 04:09 PM, Dave wrote:
> Thanks to the two Toms for their helpful responses.
> 
> On Nov 16, 2007 8:26 AM, Thomas Guyot-Sionnest <dermoth at aei.ca> wrote:
>> While I use command-restricted keys for
>> all passwordless auth (usually cronjobs), this is the reason why I never
>> looked into check_by_ssh and use NRPE instead.
> 
> NRPE makes me a bit nervous because I suppose (without any data to
> back it up) that relatively few people use it (at least compared to

While many people use ssh to run passwordless remote commands, I believe
in the Nagios world there is more people using NRPE than check_by_ssh,
though I may be wrong...

NRPE should be quite secure if you don't enable argument passing and use
a strong enough password.

> ssh). What criteria did you use in making the evaluation of
> check_by_ssh vs. NRPE? SSH is tempting because I don't have to install
> and configure much new stuff or learn much new stuff, or at least what
> I learn has broad applications. And though the configuration may be a
> bit long-winded, it seems pretty clear. And I *think* I can nail it
> down pretty well, so that even if my private keys on the nagios server
> got compormised, nothing much bad could happen to the other hosts.

Even with ssh you still have to distribute the check plugins and set up
the remote keys. Also all your keys will have to be in the
authorized_keys which can be harder to manage.

With NRPE you can define a config directory where you can put various
config files depending on the server role. For example I have one for
all Linux server, then one for web servers, one for DB, etc. When I want
to modify/add something for all server (or a group of servers) I just
have to copy the appropriate configs and plugins and SIGHUP nrpe to get
the new config active.

>> You can also set the shell to /bin/false and set a non
>> existent home directory (ex. "/nonexistent").
> 
> Doesn't the nagios user need a shell and a home dir to run the daemon?
> Maybe I was just thinking that it needed a home dir to put the ssh
> keys in, but they can be located anywhere. Slowly understanding
> blooms.

Well, check_by_ssh will need a homedir, unless you want to apply the
keys system_wide (bad idea IMO), For the shell I'm not sure, it depends
if ssh pass the command to a shell (which would allow pipes and stuff)
of just run it directly.

Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPiuE6dZ+Kt5BchYRAr7bAJsEQvOJDMpMsEGRwhIfzFZ6e2IapACg+f7x
ZQ5dqfG80VXsMAKKzy3NlOI=
=SjQu
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null