Issue in nagios HTTP authentication

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Deepa
Posts: 10
Joined: Wed Apr 27, 2016 2:07 am

Issue in nagios HTTP authentication

Post by Deepa »

Hi All,
Regarding HTTP authentication, any characters followed by the correct password is also taken as the correct one.It finds the wrong password only if the password starts wrong or in the middle of the correct password.
Scenario,
correct_password = hello
case(i)
entered password - hello ------>authentication success
case(ii)
entered password - 45trhello ------>authentication fails
case(iii)
entered password - he45trllo ------>authentication fails
case(iv)
entered password - hello45tr ------>authentication success

Please look at this issue.
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: Issue in nagios HTTP authentication

Post by rkennedy »

What version of core are you running? This was a previous issue, but should be fixed now. It was how HTTP authenticates, and only checks the first so many characters for authentication.
Former Nagios Employee
Deepa
Posts: 10
Joined: Wed Apr 27, 2016 2:07 am

Re: Issue in nagios HTTP authentication

Post by Deepa »

Thanks for the immediate response.I am using nagios core 4.1.1 .Actually am using HTTP authentication for some other services too where it authenticates the full password.
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: Issue in nagios HTTP authentication

Post by rkennedy »

Can you post your apache configuration for us to look at? Specifically nagios.cfg in /etc/httpd/conf.d/, but there may be more depending on your setup.
Former Nagios Employee
Deepa
Posts: 10
Joined: Wed Apr 27, 2016 2:07 am

Re: Issue in nagios HTTP authentication

Post by Deepa »

yeah sure..please find the attached configuration file of apache.

#nagios.conf

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
Attachments
httpd.conf
apache config file
(33.6 KiB) Downloaded 241 times
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: Issue in nagios HTTP authentication

Post by rkennedy »

This looks fine, I believe the issue is how you created the password originally. It's most likely salted in a format that isn't very secure.

You should be able to recreate your htpasswd.users file by using this command -

Code: Select all

cp /usr/local/nagios/etc/htpasswd.users /usr/local/nagios/etc/htpasswd.users.bak
htpasswd -cs /usr/local/nagios/etc/htpasswd.users nagiosadmin
Then, enter the password twice, and it will now be salted in SHA which should be a bit more secure then previously. Let us know how it goes.
Former Nagios Employee
Locked