Setting up SSH monitoring for HP-UX machines

[sneha.irali]

Hi Team,

We have to setup the SSH based monitoring for HP-UX servers, while I try to just do a normal SSH its returning me below error:

[root@uswesrha03 ~]# ssh [email protected]
Connection closed by 10.87.94.25 port 22

When I do a normal putty session to this HP-UX with nagios user it works but the SSH from Nagios Server wont work. What can be the issue here.

We collected the debug data (ssh –vvv), the connection fails at the same point:

debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.87.94.24 port 22

Nagios Server OS - RHEL 8

[kfanselow]

Hi sneha.irali,

The normal ssh client installed on the system should be they system default as installed by RedHat. With that being said there are a couple of things you can check. First thing to do would be to get the banner from the HP server using telnet and search to see if there are any known bugs:

Code: Select all

 telnet 10.87.94.24  22 

Second you might want to try using version 1 ( e.g. ssh -1 [email protected] ). Third you can turn up the LogLevel on the server and see if you can get any more information from there. Also it probably would also be a good idea to check and see if there are any ICMP filters between, or on, the nagios server and the target device -- I see some people reporting MTU issues associated with some of the ssh error messages you observed. This is usually due to ICMP type 3 code 4 (destination host unreachable - frag needed DF bit set) messages being blocked along the path between endpoints.

Thanks and Best Regards,
Keith

[sneha.irali]

I did some research and found that by using SSH Cipher the SSH works, also only the FQDN works.

However I wan to understand how will i perform the below step which is on the Nagios Doc:

For check_by_ssh to work you must now copy the public key file of the nagios user on the Nagios XI
server to the authorized_keys file for the nagios user on the remote Linux/Unix server. Continuing with the
terminal session from the previous step execute the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub nagios@remoteip

SSH Output:
[root@uswesrha03 ~]# ssh -c aes128-ctr [email protected]
The authenticity of host 'usweshpu01.lna.us.grpleg.com (10.87.94.24)' can't be established.
ECDSA key fingerprint is SHA256:4AFDJFjUlSJlhnRp52AgiUB0dkC/7koFEVsu7zHDMi4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'usweshpu01.lna.us.grpleg.com' (ECDSA) to the list of known hosts.
Password:
Last successful login for nagios: Thu Dec 9 01:12:31 EST5EDT 2021
Last unsuccessful login for nagios: NEVER
Last login: Thu Dec 9 01:12:44 2021 from 10.87.94.242
usweshpu :: /home/nagios =>

[kfanselow]

Hi sneha.irali,

Excellent find on the cipher flag. You should be able to use the -o option with ssh-copy-id as well as with our check_by_ssh plugin.

So after you generate the keys as described on page two of that document (appended below for convenience sake) you will want to run the ssh-copy-id command with the "-o Ciphers=aes128-ctr" argument.

Code: Select all

 ssh-copy-id  -o Ciphers=aes128-ctr  -i ~/.ssh/id_rsa.pub nagios@remoteip 

The link to the document for reference sake:
https://assets.nagios.com/downloads/nag ... ng_SSH.pdf

as well as the man page for check_by_ssh:
https://nagios-plugins.org/doc/man/check_by_ssh.html

Thanks and Best Regards,
Keith

[sneha.irali]

thanks its working now..!!

[kfanselow]

Hi sneha.irali,

Excellent -- we're glad to hear you were able to get it working !!! We'll lock out the thread.

Thanks and Best Regards,
Keith