Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Issue in nagios HTTP authentication

https://support.nagios.com/forum/viewtopic.php?t=38774

Page 1 of 1

Issue in nagios HTTP authentication

Posted: Wed Jun 08, 2016 12:23 am
by Deepa
Hi All,
Regarding HTTP authentication, any characters followed by the correct password is also taken as the correct one.It finds the wrong password only if the password starts wrong or in the middle of the correct password.
Scenario,
correct_password = hello
case(i)
entered password - hello ------>authentication success
case(ii)
entered password - 45trhello ------>authentication fails
case(iii)
entered password - he45trllo ------>authentication fails
case(iv)
entered password - hello45tr ------>authentication success
Please look at this issue.

Re: Issue in nagios HTTP authentication

Posted: Wed Jun 08, 2016 9:13 am
by rkennedy
What version of core are you running? This was a previous issue, but should be fixed now. It was how HTTP authenticates, and only checks the first so many characters for authentication.

Re: Issue in nagios HTTP authentication

Posted: Tue Jun 14, 2016 12:30 am
by Deepa
Thanks for the immediate response.I am using nagios core 4.1.1 .Actually am using HTTP authentication for some other services too where it authenticates the full password.

Re: Issue in nagios HTTP authentication

Posted: Tue Jun 14, 2016 9:24 am
by rkennedy
Can you post your apache configuration for us to look at? Specifically nagios.cfg in /etc/httpd/conf.d/, but there may be more depending on your setup.

Re: Issue in nagios HTTP authentication

Posted: Tue Jun 14, 2016 9:56 am
by Deepa
yeah sure..please find the attached configuration file of apache.

#nagios.conf

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>

Re: Issue in nagios HTTP authentication

Posted: Tue Jun 14, 2016 12:22 pm
by rkennedy
This looks fine, I believe the issue is how you created the password originally. It's most likely salted in a format that isn't very secure.

You should be able to recreate your htpasswd.users file by using this command -

Code: Select all

cp /usr/local/nagios/etc/htpasswd.users /usr/local/nagios/etc/htpasswd.users.bak
htpasswd -cs /usr/local/nagios/etc/htpasswd.users nagiosadmin
Then, enter the password twice, and it will now be salted in SHA which should be a bit more secure then previously. Let us know how it goes.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited