[Nagiosplug-devel] Restricting Nagios' SSH access (was: Re: NRPE Authentication/Authorization?? DEVS PLEASE READ)

[Mike Gerber]

* Florian Gleixner schrieb:
> > Is there any chance we can have authentication added to NRPE like we do 
> > with NSCA where you must have at the very least a shared secret?
> I vote for this too. check_by_ssh can be an alternative sometimes, but 
> sometimes it is not desireable to have the nagios server full ssh access 
> to the monitored machine.

You don't need full SSH access. You need to be able to execute the
Nagios plugins, let's say they're located in /usr/lib/nagios/plugins/:

# cat /home/nagios/.ssh/authorized_keys 
command="/usr/bin/nagios-ssh-commands",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAA[...]Tvj6wQ== nagios at nagios-server

# cat /usr/bin/nagios-ssh-commands 
#!/bin/sh
logtag=`basename $0`

if echo "$SSH_ORIGINAL_COMMAND" | egrep -q "^/usr/lib/nagios/plugins/[a-zA-Z0-9\.:,%/_ -]+$"; then
  logger -t "$logtag" "Allowing command \"$SSH_ORIGINAL_COMMAND\"" 
  exec $SSH_ORIGINAL_COMMAND
else
  logger -t "$logtag" "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\"" 
  echo "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\""
  exit 2
fi

Cheers,
Mike

-- 
------------------------------------------------------------------
Mike Gerber                             
Management Internet/Security Development

LEITWERK GmbH                               http://www.leitwerk.de
Im Ettenbach 13a                            Fon: +49 7805 918 0
77767 Appenweier                            Fax: +49 7805 918 200
------------------------------------------------------------------
Unternehmensform:               Gesellschaft mit beschr. Haftung
Firmensitz:                     77767 Appenweier-Urloffen
Eingetragen im Handelsregister: AG Freiburg i.Br., HRB 472015
Geschäftsführer:                Martin Foshag, Benoit Girerd
USt-IdNr.:                      DE 1422 18361
------------------------------------------------------------------