[Nagiosplug-devel] Restricting Nagios' SSH access (was: Re: NRPE Authentication/Authorization?? DEVS PLEASE READ)
Mike Gerber
mgerber at leitwerk.de
Tue Jan 8 21:00:27 CET 2008
* Florian Gleixner schrieb:
> > Is there any chance we can have authentication added to NRPE like we do
> > with NSCA where you must have at the very least a shared secret?
> I vote for this too. check_by_ssh can be an alternative sometimes, but
> sometimes it is not desireable to have the nagios server full ssh access
> to the monitored machine.
You don't need full SSH access. You need to be able to execute the
Nagios plugins, let's say they're located in /usr/lib/nagios/plugins/:
# cat /home/nagios/.ssh/authorized_keys
command="/usr/bin/nagios-ssh-commands",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAA[...]Tvj6wQ== nagios at nagios-server
# cat /usr/bin/nagios-ssh-commands
#!/bin/sh
logtag=`basename $0`
if echo "$SSH_ORIGINAL_COMMAND" | egrep -q "^/usr/lib/nagios/plugins/[a-zA-Z0-9\.:,%/_ -]+$"; then
logger -t "$logtag" "Allowing command \"$SSH_ORIGINAL_COMMAND\""
exec $SSH_ORIGINAL_COMMAND
else
logger -t "$logtag" "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\""
echo "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\""
exit 2
fi
Cheers,
Mike
--
------------------------------------------------------------------
Mike Gerber
Management Internet/Security Development
LEITWERK GmbH http://www.leitwerk.de
Im Ettenbach 13a Fon: +49 7805 918 0
77767 Appenweier Fax: +49 7805 918 200
------------------------------------------------------------------
Unternehmensform: Gesellschaft mit beschr. Haftung
Firmensitz: 77767 Appenweier-Urloffen
Eingetragen im Handelsregister: AG Freiburg i.Br., HRB 472015
Geschäftsführer: Martin Foshag, Benoit Girerd
USt-IdNr.: DE 1422 18361
------------------------------------------------------------------
More information about the Devel
mailing list