VMware Wizard stores ESXi passwords in plain text file ?

[sac1472]

Hi,
we are adding monitoring for ESXI hosts using nagiosxi VMware wizard. i have configured that successfully & it's working fine. but now, our security Team raised flag against us as Esxi passwords are stored in plain text format which are used by check_esx3.pl plugin .
can you give us any solution to store encrypted Esxi password & also,that must be accepted by check_esx3.pl plugin ?

Or any other plugin for esxi monitoring which may stores ESXi passwords in encrypted format.

Thanks in advance

[kyang]

Here is something I found from a previous forum thread.

Let's say we did encrypt that resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.

This was related to the resource.cfg file, but I'm sure it applies to all files that store passwords.

You would still need to decrypt the file that stores the ESXi username and password, since I don't think the plugin can decrypt the file and then use the credentials from it to run the check.

[mcapra]

Alternatively, the VMWare SDK docs seem to indicate a session file could be created instead of passing a password each time:
http://pubs.vmware.com/vsphere-6-5/inde ... o.3.4.html

That might be preferable in this case. Unfortunately I don't have an ESXi environment to play around with. It looks like check_vmware_api support session files (I imagine check_esx3.pl also supports them).

[kyang]

Thanks @mcapra!

@sac1472, take a look at mcapra's suggestion and let us know!

[sac1472]

i have tested both plugins check_vmware_api.pl & check_esx3.pl both of them asking for user & password while i am passing session file in command.

can you retest at your end ? let me know results..
or
give me any other way to achieve my requirement.

[kyang]

Hmm it's strange. I tried it with a session file and this is what I got.

Same as you.

Code: Select all

[root@localhost libexec]# ./check_esx3.pl -D 192.168.x.xx -S /tmp/session/ -l "vmfs"
ESX3 CRITICAL - Provide either Password/Username or Auth file

[root@localhost libexec]# ./check_esx3.pl -D 192.168.x.x -f /tmp/authfile -l "vmfs"
ESX3 OK - storages : ESX Volume 1=26246190.96 MB (86.44%), ESX Volume 2=

I'm still looking into this.

[sac1472]

can we have any updates on this thread?

[lmiltchev]

OK, try the following:

1. Backup your original plugin:

Code: Select all

cd /usr/local/nagios/libexec
mv check_esx3.pl check_esx3.pl.orig

2. Download the latest version of the plugin below:

check_esx3.zip

unzip it, and copy the check_esx3.pl to /usr/local/nagios/libexec directory. Make sure the permissions match the ones of the original file.

3. Open the plugin in a text editor, i.e. vi and comment out line 625, so it is going to look like this:

Code: Select all

# Opts::set_option("sessionfile", undef);

4. Test the plugin:

Code: Select all

/usr/local/nagios/libexec/check_esx3.pl -D <host> -S <path to the session file> -l "vmfs"

Let us know if this helped.

[sac1472]

Sorry for very delayed response.
That adjustment working fine. so, please close this topic.

very very thanks to @ lmiltchev