Advanced authentication

Paul Weaver paul.weaver at bbc.co.uk
Thu Oct 30 09:35:37 CET 2008


> applications.  Once they're logged in there, we would pass their username
> over to Nagios via URL querystring or hidden form value, etc (not going for
> maximum security).  

Indeed not, anyone who wants can pretend to be anyone else. Still, if it's an 
internal intranet, and you capture the IP addresses, you can find out whodunit

> On the Nagios server we would use PHP to populate the
> REMOTE_USER Apache ENV variable with the passed username so that Nagios can
> compare that to the contacts and provide them with their applicable views.

I'm afraid you can't do that. You would set the REMOTE_USER (or any other env) 
for the scope of that PHP page ONLY.

One option would be to edit all the nagios CGIs to look for the username in 
the query string, and set the variable at the top of the CGI (in main). Or 
replace all instances of ENV.REMOTE_USER with a function which

Another option might be to execute the cgi's from a PHP page which pre-sets 
the username. You could use mod_rewrite to rewrite *.cgi to
"nagportal.php?cgi=*.cgi". 

In both cases you would have to maintain the username throughout the session. 
If you edit all the links in nagios on the fly to pass in a new username, 
(change status.cgi to status.cgi?username=bob), you would have a problem with 
people emailing links to others.

One option for this would be to use PHP's session capabilities to store the username.
You would set a cookie with the username in and read it on each call. That would
work with both the php and the editing-the-cgi way.

Both of those solutions are a fair amount of effort. 

A final solution could be using the apache module "SetEnvIf". Something like
 SetEnvIf "Cookies:.*loginname=(username);.*" REMOTE_USER=\1

But I don't think SetEnvIf will let you do that.

What you're trying to do isn't that easy, as it goes against normal authentication 
practices.

> Is it necessary to modify the Nagios/cgi config in any way to achieve what
> we're doing?

Perhaps

> Is is necessary to modify the Apache config?
Perhaps

> Is is necessary to set any other ENV variables besides REMOTE_USER?
No

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20081030/5333f03c/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list