nagios and ubuntu ssh authentication

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Post Reply
BrusterThemand
Posts: 5
Joined: Thu Jun 30, 2022 7:53 am

nagios and ubuntu ssh authentication

Post by BrusterThemand »

I have a nagios server that must check 2 other jboss server. I have a script that check size of folder.

I have in nagios 2 rules that check some folder in this jboss server by "check_by_ssh" command of nagios

If I execute command from shell as nagios user I have answer from both jboss server

./check_by_ssh -H server1 -t 60 -l nagios -C "/opt/jboss/scripts/check_file_size_mizar.sh --maxwarn 80000000 --maxcrit 150000000 /opt/jboss/domain/servers//log/ /opt/jboss/domain/log/*" -E

./check_by_ssh -H server2 -t 60 -l nagios -C "/opt/jboss/scripts/check_file_size_mizar.sh --maxwarn 80000000 --maxcrit 150000000 /opt/jboss/domain/servers//log/ /opt/jboss/domain/log/*" -E

but when nagios execute the same command, server1 return the correct result, server2 return

(Return code of 255 is out of bounds : UNKNOWN - check_by_ssh: Remote command '/opt/jboss/scripts/check_file_size.sh --maxwarn 80000000 --maxcrit 150000000 /opt/jboss/domain/servers/*/log/* /opt/jboss/domain/log/*' returned status 255))
I think the problem was in ssh authentication.

I checked both server user nagios .ssh folder permission and content

I debug ssh demon in both jboss server and I have this result

SERVER1:/etc/ssh$ sudo /usr/sbin/sshd -d
debug1: sshd version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: read PEM private key done: type ECDSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from SERVERIP port 44578


debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: permanently_set_uid: 105/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]

debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user nagios service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "nagios"
debug1: PAM: setting PAM_RHOST to "domain.x.y"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user nagios service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1002/1002 (e=0/0)
debug1: trying public key file /home/nagios/.ssh/authorized_keys
debug1: fd 7 clearing O_NONBLOCK
debug1: matching key found: file /home/nagios/.ssh/authorized_keys, line 1
Found matching RSA key: ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
debug1: restore_uid: 0/0
Postponed publickey for nagios from SERVERIP port 44578 ssh2 [preauth]
debug1: userauth-request for user nagios service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1002/1002 (e=0/0)
debug1: trying public key file /home/nagios/.ssh/authorized_keys
debug1: fd 7 clearing O_NONBLOCK
debug1: matching key found: file /home/nagios/.ssh/authorized_keys, line 1
Found matching RSA key: ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for nagios from SERVERIP port 44578 ssh2
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: nagios has been authenticated by privileged process
debug1: temporarily_use_uid: 1002/1002 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: PAM: establishing credentials
User child is on pid 4485
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1002/1002
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request exec reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 4486
debug1: session_exit_message: session 0 channel 0 pid 4486
debug1: session_exit_message: release channel 0
Received disconnect from SERVERIP: 11: disconnected by user
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
and

SERVER2:/etc/ssh$ sudo /usr/sbin/sshd -d
debug1: sshd version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: read PEM private key done: type ECDSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from SERVERIP port 49791


debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: permanently_set_uid: 105/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]

Connection closed by SERVERIP [preauth]
debug1: do_cleanup [preauth]
debug1: do_cleanup
You can see that in server 2 authentication process don't works when nagios execute command, but if I execute command from nagios server shell from user nagios both server respond.

For the servers2 there is a difference between the two types of calls (from nagios server shell and nagios daemon process).

Where is the problem echatspin echatrandom, where I must check?

Thanks in advance
Last edited by BrusterThemand on Mon Oct 17, 2022 7:01 am, edited 1 time in total.
LansoirThemos
Posts: 4
Joined: Tue Jul 26, 2022 3:25 am

Re: nagios and ubuntu ssh authentication

Post by LansoirThemos »

First of all, you need to make sure you copied your ssh keys with the ssh-copy-id command (not scping them). Second of all, make sure that time is in sync across all of the servers. Third, when you say you "execute command from nagios server shell" do you mean the actual full command that nagios is trying to execute, or an emulated version omegle via the developerbook chatrandom raw ssh command?
Post Reply