Nagios Support Forum

I need your advice on locking down the commands a user could run/check_by_ssh could run?

My Nagios server has check_by_ssh plugin installed. Private/public keys have been set up on the server and the client.

Right now, on the server, user1 has no login (nologin).

On the client, user1 has a login shell. It would be great to not allow login.

On the client:/etc/security/access.conf, I added an entry to allow user1 access from the server:
+ : user1 : <serverA_IP>

From the server, I could run commands like this without any issues.

/usr/lib64/nagios/plugins/check_by_ssh -l user1 -i /home/user1/.ssh/id_rsa -H <client_IP> -C "/usr/lib64/nagios/plugins/check_uptime" -E

I'd like to restrict the commands (say for just my 5 checks) that one could run on the client's side.

I could set the restrictions on the client's authorized_keys by adding something like (which worked)
command="/usr/lib64/nagios/plugins/check_uptime",no-pty,no-port-forwarding ssh-rsa <user1 key from serverA>

However, I will need to create different key and add to authorized_keys for each check.

I would also prefer not to allow login shell on the client if there is a way to run check_by_ssh without a shell.

Any tips to share?

Thanks!

If you did it how you suggest, can you not use the same key for all of the checks?