check_by_ssh setup...lock down commands to run

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

check_by_ssh setup...lock down commands to run

Postby yomiko » Thu Apr 12, 2018 4:24 pm

I need your advice on locking down the commands a user could run/check_by_ssh could run?

My Nagios server has check_by_ssh plugin installed. Private/public keys have been set up on the server and the client.

Right now, on the server, user1 has no login (nologin).

On the client, user1 has a login shell. It would be great to not allow login.

On the client:/etc/security/access.conf, I added an entry to allow user1 access from the server:
+ : user1 : <serverA_IP>

From the server, I could run commands like this without any issues.

/usr/lib64/nagios/plugins/check_by_ssh -l user1 -i /home/user1/.ssh/id_rsa -H <client_IP> -C "/usr/lib64/nagios/plugins/check_uptime" -E

I'd like to restrict the commands (say for just my 5 checks) that one could run on the client's side.

I could set the restrictions on the client's authorized_keys by adding something like (which worked)
command="/usr/lib64/nagios/plugins/check_uptime",no-pty,no-port-forwarding ssh-rsa <user1 key from serverA>

However, I will need to create different key and add to authorized_keys for each check.

I would also prefer not to allow login shell on the client if there is a way to run check_by_ssh without a shell.

Any tips to share?

Posts: 22
Joined: Mon Aug 21, 2017 6:45 pm

Re: check_by_ssh setup...lock down commands to run

Postby scottwilkerson » Fri Apr 13, 2018 2:30 pm

If you did it how you suggest, can you not use the same key for all of the checks?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
DevOps Engineer
Posts: 11179
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Return to Nagios Core

Who is online

Users browsing this forum: Google [Bot] and 13 guests