I need your advice on locking down the commands a user could run/check_by_ssh could run?
My Nagios server has check_by_ssh plugin installed. Private/public keys have been set up on the server and the client.
Right now, on the server, user1 has no login (nologin).
On the client, user1 has a login shell. It would be great to not allow login.
On the client:/etc/security/access.conf, I added an entry to allow user1 access from the server:
+ : user1 : <serverA_IP>
From the server, I could run commands like this without any issues.
/usr/lib64/nagios/plugins/check_by_ssh -l user1 -i /home/user1/.ssh/id_rsa -H <client_IP> -C "/usr/lib64/nagios/plugins/check_uptime" -E
I'd like to restrict the commands (say for just my 5 checks) that one could run on the client's side.
I could set the restrictions on the client's authorized_keys by adding something like (which worked)
command="/usr/lib64/nagios/plugins/check_uptime",no-pty,no-port-forwarding ssh-rsa <user1 key from serverA>
However, I will need to create different key and add to authorized_keys for each check.
I would also prefer not to allow login shell on the client if there is a way to run check_by_ssh without a shell.
Any tips to share?
Thanks!
check_by_ssh setup...lock down commands to run
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: check_by_ssh setup...lock down commands to run
If you did it how you suggest, can you not use the same key for all of the checks?