Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Check_by_ssh issue

https://support.nagios.com/forum/viewtopic.php?t=39844

Page 5 of 6

Re: Check_by_ssh issue

Posted: Thu Sep 15, 2016 1:43 am
by MarMottE
Please find bellow the two sshd_config

Remote Server

Code: Select all

PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes



##################################
Nagios server

Code: Select all

PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Thanks

Re: Check_by_ssh issue

Posted: Thu Sep 15, 2016 11:49 am
by tgriep
Try replacing the sshd_config on the remote server with the following.

Code: Select all

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
This config is from a working server that I am checking with the check_by_ssh command.

Re: Check_by_ssh issue

Posted: Fri Sep 16, 2016 8:16 am
by MarMottE
No it's the same, check goes down when i'm closing session (console or ssh)

Re: Check_by_ssh issue

Posted: Fri Sep 16, 2016 10:38 am
by tgriep
There has to be something wrong with the keys and we are not getting any errors.
It looks like the keys can encrypt the data over an existing connection but it will not initiate a new connection.
I suggest deleting all of the keys and configurations on both the Nagios server and the remote server and try it again.
https://assets.nagios.com/downloads/nag ... ng_SSH.pdf

Re: Check_by_ssh issue

Posted: Fri Sep 16, 2016 10:44 am
by rkennedy
Just to make sure - after making changes did you restart the sshd services?

As @tgriep mentioned, I would delete what exists and follow through our documentation once more as this is really strange and we have not seen this in the past.

Re: Check_by_ssh issue

Posted: Tue Sep 20, 2016 9:13 am
by MarMottE
rkennedy wrote:Just to make sure - after making changes did you restart the sshd services?

As @tgriep mentioned, I would delete what exists and follow through our documentation once more as this is really strange and we have not seen this in the past.
Yes the service was restarted after change.

I will try to delete the ssh key and reconfigure it

Re: Check_by_ssh issue

Posted: Tue Sep 20, 2016 1:24 pm
by rkennedy
Let us know how it goes!

Re: Check_by_ssh issue

Posted: Wed Sep 21, 2016 1:57 am
by MarMottE
Hello,

I have a bad news, it's the same

I have created a new ssh key put on my remoteserver, the ssh connexion and the check are working but when i'm closing the ssh connexion on my nagios server the check goes down ...

my new ssh key on nagios server

-rw------- 1 nagios nagios 668 Sep 21 08:43 test_id_dsa
-rw-r--r-- 1 nagios nagios 609 Sep 21 08:43 test_id_dsa.pub

Re: Check_by_ssh issue

Posted: Wed Sep 21, 2016 11:09 am
by rkennedy
What are the permissions of folder?

Code: Select all

ls -al /home/
ls -al /home/nagios/
ls -al /home/nagios/.ssh
Also, are all of your service checks failing that are over SSH or are you just attempting to use the check_disk one? I'm wondering if the problem is under check_disk specifically as there seems to be a bug on the Ubuntu forums with something similar. https://bugs.launchpad.net/ubuntu/+sour ... ug/1516451

Re: Check_by_ssh issue

Posted: Thu Sep 22, 2016 12:42 am
by MarMottE
rkennedy wrote:What are the permissions of folder?

Code: Select all

ls -al /home/
ls -al /home/nagios/
ls -al /home/nagios/.ssh
Also, are all of your service checks failing that are over SSH or are you just attempting to use the check_disk one? I'm wondering if the problem is under check_disk specifically as there seems to be a bug on the Ubuntu forums with something similar. https://bugs.launchpad.net/ubuntu/+sour ... ug/1516451

The right on the folder is the same than before, I have juste add a new ssh public key on my remote server.

And create a new one in the same directory than the id_dsa, it's not a problem of permission because when i'm connected on my nagios server all check are up and WHEN I'm closing this session, only check_by_ssh goes down
All times are UTC-05:00
Page 5 of 6

Powered by phpBB® Forum Software © phpBB Limited