Is a null username possible with check_http

Jim McNamara jim at packetalk.net
Thu Jul 30 02:08:42 CEST 2009


On Wed, 2009-07-29 at 15:45 -0500, Marc Powell wrote:

> On Jul 29, 2009, at 2:09 PM, Jim McNamara wrote:
> 
> > Thanks for that help. Unfortunately it leads to some unusual  
> > results. Both authenticating from firefox on a windows host and on  
> > the CLI from the linux server show the same credentials being  
> > passed, as shown here:
> >
> > (Windows)
> > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: 
> > 1.9.0.12) Gecko/2009070611 Firefox/3.0.12\r\n
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ 
> > *;q=0.8\r\n
> > Accept-Language: en-us,en;q=0.5\r\n
> > Accept-Encoding: gzip,deflate\r\n
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
> > Keep-Alive: 300\r\n
> > Connection: keep-alive\r\n
> > Authorization: Basic OnJlYm9vdA==\r\n
> > Credentials: :reboot
> > \r\n
> >
> > (Linux)
> > GET / HTTP/1.0\r\n
> > User-Agent: check_http/v2053 (nagios-plugins 1.4.13)\r\n
> > Connection: close\r\n
> > Authorization: Basic OnJlYm9vdA==\r\n
> > Credentials: :reboot
> > \r\n
> >
> > So both agents pass the correct info to the unit, but something  
> > clearly doesn't behave well.
> 
> I agree. Both translate to the same string.
> 
> > I do see a fair amount of javascript in the windows capture after  
> > the authentication, could that be part of the issue?
> 
> No. I am presuming the javascript is being sent in response to the  
> successful auth.
> 
> > Also the "Connection: close\r\n sent by check_http has me wondering  
> > if is closing the stream before some of the authentication is  
> > completed?
> 
> No, that's just telling the server that it can close the connection  
> after sending the response. That response should be the HTML of the  
> page after successful auth. That's standard HTTP and they shouldn't be  
> bombing based on that.
> 
> > I have both captures from tshark and wireshark saved if seeing the  
> > full info would be any help.
> 
> Probably not. It certainly appears that this device is requiring  
> something more than just Basic authentication. It may be looking at  
> User-Agent or some other header and rejecting if it's not there or  
> something unexpected. You might try adding a -A to change the user- 
> agent to match the one above and/or one or more -k headers to see what  
> that extra bit might be. Other than that, your best source of what  
> they're really looking for is going to be the manufacturer unless they  
> happen to provide the source (yeah, right....).
> 
> --
> Marc


Thanks again Marc.

Just adding the -A modifier didn't produce any change, and I've been
trying to add -k to perfectly mimic the strings sent by firefox. The
problem is -A has no problem sending semicolons or asterisks as long as
the whole string is in quotes, but -k fails at either of those chars.
Here's some output - 

/usr/local/nagios/libexec/check_http -I 192.168.150.11 -a :reboot
-A"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: 1.9.0.12)
Gecko/2009070611 Firefox/3.0.12" -k"Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8\r\n" -v
GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:
1.9.0.12) Gecko/2009070611 Firefox/3.0.12
Connection: close
Accept: text/html,application/xhtml+xml,application/xml
q=0.9,*/*
q=0.8\r\n
Authorization: Basic OnJlYm9vdA==


http://192.168.150.11:80/ is 97 characters
STATUS: HTTP/1.0 401 Not Authorized
**** HEADER ****
WWW-Authenticate: Basic realm="iBoot"
**** CONTENT ****
<html><h2>Error</h2></html>
HTTP WARNING: HTTP/1.0 401 Not Authorized

It seems the semicolon breaks up the header, and neither backslashing or
using single quotes in place of the quotation marks in my example made
any difference. What is the right way to get the full header sent
including special chars?

Additionally, I saw the GET command from firefox was 1.1, and GET from
check_http is 1.0. I don't know if that is a problem, but wireshark
shows a GET v1.0 as "Continuation or non-HTTP traffic". Can the get
command either be changed to 1.1 or masked to appear as if it was 1.1?

Thanks again to all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090729/9d69ce3f/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list