(Box293) vMA vi-admin prompts for creds after cert trans

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
madmax442
Posts: 1
Joined: Tue Apr 05, 2016 10:24 am

(Box293) vMA vi-admin prompts for creds after cert trans

Post by madmax442 »

I am still getting prompted for a vi-admin password from the nagios user logon to : ssh vi-admin@myvmaipaddress

I need some troubleshooting steps to get past this. I need to be able to SSH to vMA without requiring credentials to get the box293_check_vmware plugin to work.

Nagios Host = Ubuntu 12.04.5 LTS, vMA = 6.0.0.0 Build 2503728

Verbose output---------------------------------------------------------------
nagios@adc-nagios:~$ ssh -v vi-admin@10.0.0.111
OpenSSH_5.9p1 Debian-5ubuntu1.8, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.0.111 [10.0.0.111] port 22.
debug1: Connection established.
debug1: identity file /home/nagios/.ssh/id_rsa type -1
debug1: identity file /home/nagios/.ssh/id_rsa-cert type -1
debug1: identity file /home/nagios/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/nagios/.ssh/id_dsa-cert type -1
debug1: identity file /home/nagios/.ssh/id_ecdsa type -1
debug1: identity file /home/nagios/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 46:ae:d8:b2:95:af:d4:d7:66:e3:b5:ea:7f:4d:6f:f6
debug1: Host '10.0.0.111' is known and matches the ECDSA host key.
debug1: Found key in /home/nagios/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

Welcome to SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) - Kernel \r (\l).


debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1001' not found

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1001' not found

debug1: Unspecified GSS failure. Minor code may provide more information


debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1001' not found

debug1: Next authentication method: publickey
debug1: Trying private key: /home/nagios/.ssh/id_rsa
debug1: Offering DSA public key: /home/nagios/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/nagios/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.0.0.111 ([10.0.0.111]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/vi-admin/.ssh
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 5 10:18:49 MDT 2016 from 10.0.0.240 on pts/0
Last login: Tue Apr 5 10:33:24 2016 from 10.0.0.240
----------------------------------------------------------------------------------------------------------------------------------

I Followed these steps:
• Create the certificates to use with vMA
◦ You are creating a certificate that allows the Nagios server to establish an SSH session with the
vMA without using credentials
◦ Type su nagios and press Enter (this means the following steps will be performed as the 'nagios'
user, as this is what account is used when the Nagios Monitoring Engine Executes the
box293_check_vmware pluin)
▪ You will now be presented with: [nagios@localhost nagios-plugins-1.5]$
▪ Type cd ~ and press Enter (puts you in the home directory of the nagios user)
▪ Type ssh-keygen -t dsa and press Enter
• Enter file in which to save the key (/home/nagios/.ssh/id_dsa):
◦ You will use the default location so press Enter
• Enter passphrase (empty for no passphrase):
◦ You will use an empty passphrase so press Enter
• Enter same passphrase again:
◦ You will use an empty passphrase so press Enter
• A randomart image is displayed, the certificate has been created
▪ Leave this SSH session open, you will use it in the next step
• Transfer certificates to the vMA
▪ The next command uses the IP Address or DNS name of the vMA (for example 192.168.1.231)
▪ Type cat ~/.ssh/id_dsa.pub | ssh vi-admin@192.168.1.231 'umask 077; cat
>>~/.ssh/authorized_keys' and press Enter (all in one line)
• An authenticity message is displayed
• Are you sure you want to continue connecting (yes/no)?
◦ Type yes and press Enter
• You are prompted for the vi-admin password (for example: A Str0ng P@ssw0rd)
◦ Type the password and press Enter
• The certificate file is transferred
Last edited by madmax442 on Tue Apr 05, 2016 11:40 am, edited 2 times in total.
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: (Box293) vMA vi-admin prompts for creds after cert trans

Post by rkennedy »

Can you post the commands you ran so we can see the input / output of when you tried to transfer the key?

This link does a pretty good job at explaining what to do -
https://assets.nagios.com/downloads/nag ... ng_SSH.pdf
Former Nagios Employee
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: (Box293) vMA vi-admin prompts for creds after cert trans

Post by tmcdonald »

Please post a new response unless you need to edit your previous post. This makes it hard to follow the information in your original posting. The only time we prefer editing vs adding is if you would otherwise be posting multiple times in a row to provide an update - in these cases, please edit the post with an "Update:" before the new information.
Former Nagios employee
Locked