Check by SSH - Host Key Verification Failed.

[sheen.lim]

Hello Nagios Community,

I am testing a check_by_ssh program. I tried to test the command below and have good result.
sheenlim08@Server1:/etc/nagios3/conf.d$
/usr/lib/nagios/plugins/check_by_ssh -H /usr/lib/nagios/plugins/check_by_ssh -H 192.168.114.149 -C "/usr/lib/nagios/plugins/check_ssh -H localhost" -l sheenlim08 -i /home/sheenlim08/.ssh/nag_id_rsa
SSH OK - OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 (protocol 2.0) | time=0.006329s;;;0.000000;10.000000


I then created a custom command /etc/nagios-plugins/config/ssh_check_disk.cfg and defined it below.
define command {
command_name ssh_check_disk
command_line /usr/lib/nagios/plugins/check_by_ssh -H '$HOSTADDRESS$' -C "/usr/lib/nagios/plugins/check_disk -w '$ARG1$' -c '$ARG2$' -e -p '$ARG3$'" -l sheenlim08 -i /home/sheenlim08/.ssh/nag_id_rsa

I then defined the service that will refer to the 'ssh_check_disk' command in my monitoring configuration file for that server.
define service {
use generic-service
host_name H:PH-CDO-Server2
service_description SSH-Check Disk Status
check_command ssh_check_disk!20%!10%!/dev/mapper/ubuntuServer--vg-root
}

Then restarted the nagios service 'sudo invoke-rc.d reload'
However, I get a Host key verification failed. message on the dashboard.


All I could think of is that it is related to the private key not being able to be retrieve when its time nagios calls it, but its there
Any ideas?

[bolson]

Thanks to eloyd from a previous topic for this:

The simple answer to your problem is that the host key for the remote machine does not match what your local SSH client thinks it should be when you SSH to the remote host.

Really, the only way this can happen is if you have an old host key, incorrect host key, or if you are using a different host name. So that leads me to this:

When nagios is SSHing to the remote host, is it doing it by name or IP? I'm guessing it's by IP. IP != name, and that's where your problem is stemming from. Try ssh <remote.ip.address> and see if you can create the hostkey, then see if Nagios's ssh works.

[sheen.lim]

Hi Bolson,

I don't understand, I used all IP address on all my connection.

The nag_id_rsa.pub value is exported to the target server (server to be monitored), and I can even see it from the target servers' /home/sheenlim08/.ssh/authorized_keys. What I had in mind is that maybe the nagios service is being run by a different account other than my own (which is sheenlim08), and since I exported the public key using my own account I can test it just fine under the context of my account. When the nagios service begin to do query the command from the monitoring template I created, maybe it cannot find the private key that was associated with the nag_id_rsa.pub when it was created.

How can I make sure that the nagios service can access the private key is located in the /home/sheenlim08/.ssh/nag_rsa_id ?

[bolson]

I believe that is your problem. The nagios service is run by the user nagios. For this reason, you need to configure the ssh keys for the nagios user. This document details the procedure. Let me know if you need additional information.

https://assets.nagios.com/downloads/nag ... ng_SSH.pdf

[sheen.lim]

bolson,

I thought it was a permission issue, so I dig a little deeper. Below is the permissions for the file.


I changed the group permission for sheenlim08 to have read and execute access to the nag_id_rsa file.


Then I added the nagios user to the sheenlim08 group.


Looks good right?..My thought were the same but It's still giving me error message "Remote command execution failed: Host key verification failed. " in the Services Dashboard.

[sheen.lim]

bolson,

So I want to try this again but this time, I want to issue a certificate under the nagios user. However If I issue the command "su nagios" it is asking for a password. The only account that I remember creating during the nagios installation is the nagiosadmin, so I don't know that the password for this account it.



Any ideas?

[bolson]

Yes, Run this command to reset the password:

Code: Select all

passwd nagios

Enter your desired password twice and you're good to go.

[sheen.lim]

Hi Brian,

I was able to reset the password to nagios but I cannot switch to it. So i used the sudo -u, not sure if it makes any difference. I could not write to the /etc/nagios3 directory so I used the default path for the nagios account.



Then I copied and renamed the private key from /var/lib/nagios/.ssh/id_rsa to /etc/nagios3/nag_id_rsa to align with my current configuration.


Then I tried to import the .pub certificate to Server2 but it seems its not accepting it. I can assure that the nagios account on the Server2 has the same password with the nagios account in Server1 (which is Nagios), but that should not matter since that is the purpose of the certificate. I tried using 'sudo -u', 'sudo', and just regularly calling the ssh-copy-id but its not exporting the certificate. I can login to server 2 and the /var/lib/nagios/.ssh/authorized_keys is blank. /home/nagios/ is not existing.

[bolson]

Are you using a how-to or a tutorial to configure ssl for Nagios Core? If so, which one?

[sheen.lim]

Brian,

I am following the link that you game me in the past.
https://assets.nagios.com/downloads/nag ... 1502152938


But "su - nagios" doest let me login, so I had to improvise as shown in the screenshot on the last posts.