check_by_ssh with RSA and Centrify Express

[gregg_hughes_ISC]

Good afternoon, all!

I've been wrestling with check_by_ssh for a couple of days now. The problem is that I can make a successful SSH connection to the target server as the target user (targetuser@remoteserver), but if I use the -l option on check_by_ssl, I still trigger the PAM module that requires an RSA passcode.

It would seem that the check_by_ssh would call SSH the same way that a command line would, but it seems that's not the case. NRPE is not a candidate for installation on the remote hosts.

Can anyone enlighten me on how check_by_ssh calls the ssh client and makes a connection to the remote server?

Thanks to any and all for looking!

Gregg

[rkennedy]

but if I use the -l option on check_by_ssl

Do you mean the -l flag on the check_by_ssh command?

When I run the check_by_ssh command with -l, it's using the username specified. Once I installed the SSH key, it stopped asking for the password. Did you setup a SSH key for access rather than password authentication?

Can you provide a screenshot to show an example of what you're seeing?

[gregg_hughes_ISC]

Code: Select all

nagios@nagios-server:~$ /usr/lib/nagios/plugins/check_by_ssh -H 192.168.XXX.YYY -l remoteuser -C /home/remoteuser/bin/check_uptime
Remote command execution failed: ====================WARNING!===WARNING!====================
nagios@nagios-server:~$

Is the command I'm running to test the check_by_ssh plugin. Now, when I SSH as the user I get in fine and can run the command from the remote command line:

Code: Select all

nagios@nagios-server:~$ ssh [email protected]
====================WARNING!===WARNING!====================
This system is the property of MyCompany.

Only authorized users and administrators may access this
system. Any access and/or activity on this system may be
monitored, recorded and is subject to audit. Unauthorized
use of the system is prohibited and subject to criminal and
civil penalties. Use of the system indicates consent to
monitoring and recording.

Please contact support@XXXX (dot) com with any
questions about this system.

===========================================================
Last login: Tue Dec 15 11:19:10 2015 from 192.168.XXX.YYY
[remoteuser@remote-server ~]$ cd /home/remoteuser/bin/check_uptime
-bash: cd: /home/remoteuser/bin/check_uptime: Not a directory
[remoteuser@remote-server ~]$ cd /home/remoteuser/bin/
[remoteuser@remote-server bin]$ ./check_uptime
OK - uptime is 139 Days, 6 Hours, 04 Minutes

And that works. AFAICS, this means that the check_by_ssh should work precisely the same as the straight SSH session. But that fails.

Let me know what you think about this.

Thanks!

Gregg

[gregg_hughes_ISC]

Since the SSH works directly without a password, the key is correctly situated and rights are good.

[rkennedy]

Uptime is easy enough, as it can be executed without a script. I think the issue might be without the quotes though. Can you try running the following commands and post the result?

Code: Select all

/usr/lib/nagios/plugins/check_by_ssh -H 192.168.XXX.YYY -l remoteuser -C '/home/remoteuser/bin/check_uptime'
/usr/lib/nagios/plugins/check_by_ssh -H 192.168.XXX.YYY -l remoteuser -C 'uptime'

[gregg_hughes_ISC]

Good morning!
Apologies for not getting back to you; another project (basket of rattlesnakes) got put on my plate.

Here is the response from the test:

Code: Select all

nagios@nagios-server:~$ /usr/lib/nagios/plugins/check_by_ssh -H 192.168.999.85 -l remoteuser -C '/home/nagiosremote/bin/check_uptime'
Remote command execution failed: ====================WARNING!===WARNING!====================
nagios@nagios-server:~$ /usr/lib/nagios/plugins/check_by_ssh -H 192.168.999.85 -l remoteuser -C uptime
Remote command execution failed: ====================WARNING!===WARNING!====================
nagios@nagios-server:~$ /usr/lib/nagios/plugins/check_by_ssh -H 192.168.999.85 -l remoteuser -C 'uptime'
Remote command execution failed: ====================WARNING!===WARNING!====================

I suspect an authentication issue on the remote server is at the root of this. I'm going to do some more SSH testing this afternoon to see if I can trace where the process is failing.

Thanks!

[rkennedy]

Can you check the auth.log to see if the login is working properly?

Let us know what you find.

[Box293]

Also try -v for verbosity

Code: Select all

/usr/lib/nagios/plugins/check_by_ssh -v -H 192.168.999.85 -l remoteuser -C '/home/nagiosremote/bin/check_uptime'