Page 1 of 1
VMware Wizard stores ESXi passwords in plain text file ?
Posted: Wed Nov 15, 2017 4:24 am
by sac1472
Hi,
we are adding monitoring for ESXI hosts using nagiosxi VMware wizard. i have configured that successfully & it's working fine. but now, our security Team raised flag against us as Esxi passwords are stored in plain text format which are used by check_esx3.pl plugin .
can you give us any solution to store encrypted Esxi password & also,that must be accepted by check_esx3.pl plugin ?
Or any other plugin for esxi monitoring which may stores ESXi passwords in encrypted format.
Thanks in advance
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Wed Nov 15, 2017 4:15 pm
by kyang
Here is something I found from a previous forum thread.
Let's say we did encrypt that resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.
This was related to the resource.cfg file, but I'm sure it applies to all files that store passwords.
You would still need to decrypt the file that stores the ESXi username and password, since I don't think the plugin can decrypt the file and then use the credentials from it to run the check.
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Thu Nov 16, 2017 7:56 am
by mcapra
Alternatively, the VMWare SDK docs seem to indicate a session file could be created instead of passing a password each time:
http://pubs.vmware.com/vsphere-6-5/inde ... o.3.4.html
That might be preferable in this case. Unfortunately I don't have an ESXi environment to play around with. It looks like
check_vmware_api support session files (I imagine check_esx3.pl also supports them).
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Thu Nov 16, 2017 10:05 am
by kyang
Thanks
@mcapra!
@sac1472, take a look at mcapra's suggestion and let us know!
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Tue Nov 21, 2017 8:01 am
by sac1472
i have tested both plugins check_vmware_api.pl & check_esx3.pl both of them asking for user & password while i am passing session file in command.
can you retest at your end ? let me know results..
or
give me any other way to achieve my requirement.
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Tue Nov 21, 2017 2:52 pm
by kyang
Hmm it's strange. I tried it with a session file and this is what I got.
Same as you.
Code: Select all
[root@localhost libexec]# ./check_esx3.pl -D 192.168.x.xx -S /tmp/session/ -l "vmfs"
ESX3 CRITICAL - Provide either Password/Username or Auth file
[root@localhost libexec]# ./check_esx3.pl -D 192.168.x.x -f /tmp/authfile -l "vmfs"
ESX3 OK - storages : ESX Volume 1=26246190.96 MB (86.44%), ESX Volume 2=
I'm still looking into this.
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Thu Nov 23, 2017 2:39 am
by sac1472
can we have any updates on this thread?
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Mon Nov 27, 2017 3:54 pm
by lmiltchev
OK, try the following:
1. Backup your original plugin:
Code: Select all
cd /usr/local/nagios/libexec
mv check_esx3.pl check_esx3.pl.orig
2. Download the latest version of the plugin below:
check_esx3.zip
unzip it, and copy the check_esx3.pl to /usr/local/nagios/libexec directory. Make sure the permissions match the ones of the original file.
3. Open the plugin in a text editor, i.e. vi and comment out line 625, so it is going to look like this:
Code: Select all
# Opts::set_option("sessionfile", undef);
4. Test the plugin:
Code: Select all
/usr/local/nagios/libexec/check_esx3.pl -D <host> -S <path to the session file> -l "vmfs"
Let us know if this helped.
Re: VMware Wizard stores ESXi passwords in plain text file ?
Posted: Wed Mar 28, 2018 7:39 am
by sac1472
Sorry for very delayed response.
That adjustment working fine. so, please close this topic.
very very thanks to
@ lmiltchev