Problem resetting default Nagios passwords - mysql

[MonitorGuy]

Nagios XI
Clean installed 5.7.1
Upgraded to 5.7.4
RHEL 7.8
mariadb

Ran into problem attempting to change the default Nagios passwords: https://assets.nagios.com/downloads/nag ... ios-XI.pdf

mysql -u root -p
<entered password>

use mysql;
set password for 'ndoutils'@localhost= 'NewPassword';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

Appears to be a mysql bug?

Searched here to see if anyone else has encountered, and what the solution might be, found nothing.

Got the root password reset, and files updated, restarted Nagios, seems OK, maybe that's as far as we can go until there's a fix?

Thanks,

Craig

[dchurch]

What does the following mysql statement produce?

Code: Select all

select password('test345');

On my system (no errors), it producesd a long hash:

Code: Select all

+-------------------------------------------+
| password('test345')                       |
|-------------------------------------------|
| *3EA172720F0E883F98B75474EC2DEF9F0913DDA6 |
+-------------------------------------------+
1 row in set

In some cases if the server is configured to use a different password mechanism, it can produce a different result.

[MonitorGuy]

Since the problem happened on our pre-prod server, it's being restored back to before the 5.7.4 upgrade and attempted password changes, I'll attempt there once completed.

Here is the result from our staging server:

MariaDB [mysql]> select password('test345');
+-------------------------------------------+
| password('test345') |
+-------------------------------------------+
| *3EA172720F0E883F98B75474EC2DEF9F0913DDA6 |
+-------------------------------------------+
1 row in set (0.00 sec)

So how does this help change the default passwords?

Thanks

[dchurch]

Can you try this command to set the password:

Code: Select all

set password for 'ndoutils'@localhost= password('NewPassword');

If that doesn't work, did you make any changes to /etc/my.cnf or /etc/mysql/*? Perhaps a package was installed that did that.

[MonitorGuy]

I believe I found the root cause from searching logs, I found this:

sysstat.log:. <p><pre>SQL Error [ndoutils] : Table 'nagios.nagios_conninfo' doesn't exist</pre></p>
sysstat.log:. <p><pre>SQL Error [ndoutils] : Table 'nagios.nagios_conninfo' doesn't exist</pre></p>
sysstat.log:. <p><pre>SQL Error [ndoutils] : Table 'nagios.nagios_conninfo' doesn't exist</pre></p>
sysstat.log:. <p><pre>SQL Error [ndoutils] : Table 'nagios.nagios_conninfo' doesn't exist</pre></p>

From what I can tell, ndoutils was not installed when 5.7.1 was used to build this instance... Questions: 1) why is it missing? 2) what is it?

Also, the nagios user password expired about the same time and caused all kinds of havoc. Not sure why this user wasn't set to never expire, but I'm pretty sure it wasn't changed after Nagios installation.

Found the nagios user fix here under "Check Nagios User Account": https://support.nagios.com/kb/article.php?id=9

Also, I've been told the nagios user doesn't have a password, and with the latest cyber security issues in the news, I'm being asked to tighten down the hatches.

Question: will setting a password on the nagios user break anything?

Sorry for the late response,

Thanks!

Craig

[dchurch]

sysstat.log:. <p><pre>SQL Error [ndoutils] : Table 'nagios.nagios_conninfo' doesn't exist</pre></p>
Questions: 1) why is it missing? 2) what is it?

This table doesn't seem to exist in the database created in the current iteration of the software. Even the custom VMWare image we built doesn't have it. I asked around and the developers seem to think it's a bug. It's unknown what effect (if any) this is having on the stability of your system, but with any luck it'll be fixed in the next release.

Also, the nagios user password expired about the same time and caused all kinds of havoc.

That's strange. You can use the "chage" command to set password expirations.

Code: Select all

chage nagios

Also, I've been told the nagios user doesn't have a password, and with the latest cyber security issues in the news, I'm being asked to tighten down the hatches. Question: will setting a password on the nagios user break anything?

If you mean on the Linux user account, then no probably not.
If you mean on the MySQL user, then yes. This must match the database configuration file in /usr/local/nagiosxi/html/config.inc.php. If they agree, it should work.

By default, SSH will not allow users without a password to log in, so the brute-forcing of the password via SSH only becomes possible if you set a password. If you're going to set a password, it would be a bad idea to set the password to the default database password of "n@gweb."

What you could do instead (or in addition to setting a strong password) is disable logins from the "nagios" user account. It would effectively disable SSH access as well as TTY access, but would still let sudo -u nagios MY_CMD work provided /etc/sudoers allowed it:

Code: Select all

chsh -s /bin/nologin nagios

Why leave a window where a wall would suffice?

That technique for disabling logins for that account may be implemented in the future by default.

[MonitorGuy]

Thanks for the quick response, during my research on ndoutils I concluded it was used in prior releases (since my staging instance was installed prior to 5.7.x and has ndoutils installed) but when I came across a how to install ndoutils document, it created some doubts. I considered reinstalling Nagios in staging to keep it closer to Production, but maybe a future update will remove ndoutils, so I'll hold off. Since all of my instances have to go through a proxy, it's a challenge to get Nagios installed and working without errors/failures, so grabbing a VM snapshot prior has been a lifesaver!

I'll run the nagios user info past my Linux SA...

Have a great holiday!

Craig

[ssax]

If you receive this when setting the password:

Password hash should be a 41-digit hexadecimal number

That means you need to wrap the password with the password function:

Without:

Code: Select all

set password for 'ndoutils'@localhost= 'NewPassword';
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number

With:

Code: Select all

set password for 'ndoutils'@localhost= password('NewPassword');

Currently if you're running XI 5.7+ and you have issues with the new NDO3 we sometimes have you downgrade your NDO3 back to NDO2DB. Is your staging server running XI 5.7? If it is and you're running NDO2DB on there that's likely because we had you downgrade NDO3 back to NDO2DB on that system in order to resolve an issue.

Please PM me a copy of your profile from that server so I can see if it's been downgraded.

Here is what I use to fix the nagios account:

Verify with:

Code: Select all

chage -l nagios

Solution:

Code: Select all

passwd nagios # Set it to anything, the next command removes it
passwd -d nagios
chage -I -1 -m 0 -M 99999 -E -1 nagios

[MonitorGuy]

Thanks, I believe the error on our production server was because the ndoutils user didn't exist, not installed there. Our Staging server was build prior to 5.7.x so it has ndoutils installed, so a fresh install using 5.7.5 should get us back in sync.

[ssax]

ok, thanks for the update, let us know if you run into any further issues.