[Nagiosplug-devel] Bug in check_by_ssh

Earl C. Ruby III earl at switchmanagement.com
Fri Nov 14 11:28:05 CET 2003


I had a test server that was being checked by Nagios using check_by_ssh. Last 
night I formatted the hard drive on the test server and re-installed the OS 
(SuSE Linux 8.2), using the same IP number as before.

Since the IP number remained the same, all of the Nagios ping tests succeed. 
Since sshd on the test server is running, check_ssh returns OK.

However, since the RSA host key on the test server is now different, all ssh 
keys have to be reset and known_hosts2 files need to be recreated -- all 
check_by_ssh checks should fail, and they do, but they fail with "warning" 
alarms, not "critical" alarms. 

If I try to ssh to the test server from the Nagios server I see the following:

nagios at nagioshost:~/bin> ssh root at 192.168.1.101
3136: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
3136: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
3136: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
3136: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
3136: Someone could be eavesdropping on you right now (man-in-the-middle 
attack)!
3136: It is also possible that the RSA host key has just been changed.
3136: The fingerprint for the RSA key sent by the remote host is
0e:67:02:7b:3d:d3:23:39:d1:ff:0e:fe:e8:f0:db:6b.
3136: Please contact your system administrator.
3136: Add correct host key in /usr/local/nagios/.ssh/known_hosts to get rid of 
this message.
3136: Offending key in /usr/local/nagios/.ssh/known_hosts:38
3136: RSA host key for 192.168.1.101 has changed and you have requested strict 
checking.
3136: Host key verification failed.

In my opinion, any time the remote host identification changes check_by_ssh 
should sound a critical alarm. check_by_ssh SHOULD fail with a CRITICAL alarm 
if ssh returns anything via STDERR. If ssh itself is generating errors, that 
is a critical alarm.

In my opinion, this code in check_by_ssh.c:

        /* WARNING if output found on stderr */
        if (fgets (input_buffer, MAX_INPUT_BUFFER - 1, child_stderr)) {
                printf ("%s\n", input_buffer);
                return STATE_WARNING;
        }
        (void) fclose (child_stderr);

... should be changed to this:

        /* CRITICAL if output found on stderr */
        if (fgets (input_buffer, MAX_INPUT_BUFFER - 1, child_stderr)) {
                printf ("%s\n", input_buffer);
                return STATE_CRITICAL;
        }
        (void) fclose (child_stderr);

Also, this:

                if (!(fp = fopen (outputfile, "a"))) {
                        printf ("SSH WARNING: could not open %s\n", 
outputfile);
                        exit (STATE_UNKNOWN);
                }

... should be changed to this:

                if (!(fp = fopen (outputfile, "a"))) {
                        printf ("SSH CRITICAL: could not open %s\n", 
outputfile);
                        exit (STATE_CRITICAL);
                }

-- 
Earl C. Ruby III
Senior Systems Engineer / Developer
Switch Management




More information about the Devel mailing list