monitoring hosts using ssh - can you change default account?

[ikekim]

I have Nagios XI installed and want to monitor remote Redhat 7.x machine using SSH. Installing the agent is likely not allowed in our environment.

There is a prerequisites to generate ssh key from Nagios XI server after switching to nagios user and also create nagios account in the target host machine to be mintored and have the ssh key file copied over to the target host machine.

My issue is that our organization has a strict naming standard for user accounts being created in the target host machines which are to be monitored.
Would I be able to use user account name that I create in the target host? If yes, what do I need to change on Nagios XI server since it also seems to use it's own nagios account to communicate to the target host?

thanks/

This here below are the excerpts from the document: https://assets.nagios.com/downloads/nag ... ng_SSH.pdf
-------------------------------------------------------------------------------------------------------------------------------------------
Prerequisites
You'll need to configure SSH keys for the nagios user on your Nagios XI server before you can continue. To do this, establish a terminal
session to your Nagios XI server as root and issue the following commands:
su nagios
ssh-keygen

Before you can use the check_by_ssh plugin, you must install/configure the following on the remote Linux/Unix server you want to monitor:
● Create a nagios user
● Install Nagios plugins and/or monitoring scripts
● Install and configure the SSH daemon

[dwasswa]

Here's the check command:

check_xi_by_ssh!-C "/usr/local/nagios/libexec/check_disk /dev/md0"!-l admin

replace admin with the user account on the host to be monitored. Follow the How To Configure SSL/TLS doc replacing user nagios on remote with chosen username

[dwhitfield]

@Derick Wasswa, thanks for the command! It looks like there's a typo in the document though. It should be https://assets.nagios.com/downloads/nag ... ng_SSH.pdf (which I assume is the link the OP is using).

For clarity, as long as the user has access to execute the checks, it doesn't matter what the user name is.

[ikekim]

@Derick Wasswa,

I'm using the VM (ova) that I imported from Nagios download to work with the Nagios XI server.

When I run the command either on the Nagios XI server or host machine that has the Nagios plugins:
--------------------------------------------------------------------------------------------------------------------------
check_xi_by_ssh!-C "/usr/local/nagios/libexec/check_disk /dev/md0"!-l nagios

The result I get is:
----------------------
[root@null-0800270406a2 ~]# check_xi_by_ssh!-C "/usr/local/nagios/libexec/check_disk /dev/md0"!-l nagios
-bash: !-C: event not found

I found the document https://assets.nagios.com/downloads/nag ... s%20XI.pdf as you suggested to "Follow the How To Configure SSL/TLS doc replacing user nagios on remote with chosen username", but I see no instructions about replacing the user nagios.

Just to further explain what my issue is:
-----------------------------------------------------
1. I installed the nagios plugins on the target host to be monitored
2. I logged onto the Nagios XI server as root and switched to nagios user(I didn't create this account but was already exists) and generated the ssh key
3. I created the user account nagios on the target host
4. I copied the ssh key generated from nagios xi server under nagios user account to target host under nagios user default home directory
5. this command works without the password being required: /usr/local/nagios/libexec/check_by_ssh -H remote_ip -C uptime
6. I used the configuration wizard on Nagios XI admin GUI and added the target host to be monitored by selecting the Linux SSH Proxy option and it all worked well.

Everything worked, but now I want to use my own account name like "jsmith", but I need to know what things I need to change.
Do I just create "jsmith" account in the target host and copy over the ssh key to jsmith's home directory as I did for the nagios account in the above steps or do I need to do anything on the Nagios XI server?



thanks.
ik

[ikekim]

Sorry just to add...my logic is that Nagios XI must use the nagios user to communicate to the target host and if I create a new or different user account in the target host, how would Nagios XI server know to use that user account name?

thanks
ik

[dwasswa]

copy over the ssh key to jsmith's home directory as you did for the nagios account in the above steps

[dwhitfield]

how would Nagios XI server know to use that user account name?

Whatever username you put after the -l is what it will use. If you want to run it from the command line it will look like the following: check_by_ssh -H $HOSTADDRESS$ $ARG1$ $ARG2$, but you have to replace the ARG. You'll see the ARGS laid out if you open the service in the CCM. In check_xi_by_ssh!-C "/usr/local/nagios/libexec/check_disk /dev/md0"!-l nagios there are two arguments, separated by !. There's a command (after -C) and then then username (after -l).

[ikekim]

Thanks for your responses.
I'm new to Nagios so I'm not sure if I have accurately explained my issue..I kind of get the sense there is a disconnect between my question and the responses.

I first created "nagios" user account on the target host using the commands below and then I copied over the ssh key generated as a nagios user from the nagios xi server to the target host machine in the "nagios" home subfolder.

cd /tmp/nagios-plugins-2.1.2
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

After this, I test the connection by running this command from Nagios XI server logged on as nagios user:
/usr/local/nagios/libexec/check_by_ssh -H remoteip -C uptime

This works great because I get a response without prompting for the password
Then, I go to the Nagio XI GUI and use the configuration wizard to add my target host to be monitored by SSH...this all works!

However, for the production environment I need to create a different user account other than "nagios" on the target host because this does not comply to naming rules.

So I create a different user name on the target host and install the plugin, and have the ssh key copied over, my test fails on this verification command because it prompts me for the password:
/usr/local/nagios/libexec/check_by_ssh -H remoteip -C uptime

I think the Nagios server XI configuration uses the "/usr/local/nagios/libexec/check_by_ssh" behind the GUI and because the passwordless login doesn't work I end up getting the error message " Remote command execution failed: Permission denied, please try again." in the management GUI.


thanks.

[dwhitfield]

Thank you for the clarification. It's clear now that we do, in fact, understand your issue. I think the disconnect is that there is no -l in what the wizard creates. $ARG2$ will be blank, so you need to add -l jsmith in ARG 2 in the CCM. There's no option to change the username in the wizard, but that does not mean it cannot be done. You just need to find the service the wizard created at http://YOURSERVER/nagiosxi/includes/com ... pe=service and edit it. Then, apply the configuration.

That said, you also don't appear to be using the -l even on the command line, which I'm a bit confused about.

When you test from the command line, it should look like
/usr/local/nagios/libexec/check_by_ssh -H 192.168.4.13 -C "/usr/local/nagios/libexec/check_disk /" -l jsmith

If you run /usr/local/nagios/libexec/check_by_ssh -h, you will see all of the options you can add. These are different than the options for, as in my example, check_disk, which will need to be on the ARG1 line in the quotation marks. The -C is telling check_by_ssh what remote check to run.

[ikekim]

@dwhitfield - okay, great now that we both understand the issue from the same page because I'm really struggling to get an answer.
I do need to add more details to explain and answer why my command works without specifying the user.

I followed the exact instructions in the Monitoring_Hosts_Using_SSH.pdf .
I also used the Virtual Machine Image that I downloaded and imported to Oracle VirtualBox and gives me the Nagios XI server out of the box.

The steps in the document basically makes me do "su nagios" on the XI server and generate a ssh key and then makes me log on to the target host machine and from there I create a user "nagios".
Then it makes me copy the ssh key from the XI Server(as a nagios user) over to nagios user home directory sub folder in the target host.
I believe this is why only when I run the command "/usr/local/nagios/libexec/check_by_ssh -H remoteip -C uptime" from the XI server as a "nagios" user, I don't need use the "-l nagios".
If I run this command from "root" user from XI server, I will have to use "-l nagios" and it will also prompt me for the password.

In the document, there is a section called to test "Passwordless login test".

So, my guess is that when I use the configuration wizard to add the target host and use SSH Proxy, the XI server somehow uses the its own "nagios" user context and be able to communicate to the target host using the ssh key that was copied over. Hence, no password.

Now, when I create a username on the target host other than "nagios"and using the configuration wizard I add the target host using Nagios XI server GIU.
I tried adding the parameter value that you suggested for ARG2 in the CCM, I find that this doesn't work because once I create a user on the target host it doesn't seem to be able to achieve the passwordless login. From the XI GUI service status message I get this error message "Remote command execution failed: Permission denied, please try again". So my question is how does Nagios XI server handle the password to communicate to the target host if I XI Server configuration wizard never asked me for the password to be used.

My conclusion is that based on the document steps which works well, but under the scenario where target host has "nagios" user with received copy of the ssh key from the XI server's "nagios" user.

So my issue is that I'm not allowed to user name "nagios" on our target hosts due to going against the naming policy so I need to create my own user name. So when I do this, it breaks the link between XI server and my target host machine. I did try copying over the sshkey from the XI server under "nagios" user context to my own user name account's home subdirectory, but this doesn't work. For some reason the generated sshkey only seems to be good if the user names exist and match in both the XI server and the target machine(this part doesn't seem to make sense to me but just doing lots of tests that is how it seems to work).

Okay, I hope I explained this explicitly enough and hope that there is a simple answer to this because I would find it hard to believe that Nagios would handcuff me with this.

Many thanks!

ik.