check_by_ssh setup...lock down commands to run

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
yomiko
Posts: 22
Joined: Mon Aug 21, 2017 6:45 pm

check_by_ssh setup...lock down commands to run

Post by yomiko »

I need your advice on locking down the commands a user could run/check_by_ssh could run?

My Nagios server has check_by_ssh plugin installed. Private/public keys have been set up on the server and the client.

Right now, on the server, user1 has no login (nologin).

On the client, user1 has a login shell. It would be great to not allow login.

On the client:/etc/security/access.conf, I added an entry to allow user1 access from the server:
+ : user1 : <serverA_IP>

From the server, I could run commands like this without any issues.

/usr/lib64/nagios/plugins/check_by_ssh -l user1 -i /home/user1/.ssh/id_rsa -H <client_IP> -C "/usr/lib64/nagios/plugins/check_uptime" -E

I'd like to restrict the commands (say for just my 5 checks) that one could run on the client's side.

I could set the restrictions on the client's authorized_keys by adding something like (which worked)
command="/usr/lib64/nagios/plugins/check_uptime",no-pty,no-port-forwarding ssh-rsa <user1 key from serverA>

However, I will need to create different key and add to authorized_keys for each check.

I would also prefer not to allow login shell on the client if there is a way to run check_by_ssh without a shell.

Any tips to share?

Thanks!
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_by_ssh setup...lock down commands to run

Post by scottwilkerson »

If you did it how you suggest, can you not use the same key for all of the checks?
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked