[Nagiosplug-devel] check_by_ssh fails with new servers

Gerhard Lausser Gerhard.Lausser at consol.de
Tue Apr 18 09:55:01 CEST 2006

Previous message: [Nagiosplug-devel] Patch for check_snmp for SNMPv3 contexts
Next message: [Nagiosplug-devel] [ nagiosplug-Patches-1472491 ] extra options for check_by_ssh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

if you use check_by_ssh and the hostkey of the server has changed, your
/etc/ssh/ssh_known_hosts is poorly maintained or if you never made a
successful connection to tihs server, then you will get the following:

qqnagio at lt0073:~> check_by_ssh -H siapp11 -C 'nrpe/libexec/check_dummy 0'
The authenticity of host 'siapp11 (160.50.85.56)' can't be established.
RSA key fingerprint is de:84:1b:35:81:a7:11:5b:f7:45:d9:eb:62:e0:b1:dc.
Are you sure you want to continue connecting (yes/no)?

The service will time out and a warning will be issued. If you generate your
configuration automatically, so at any time new hosts can appear, you would
have to execute ssh manually and answer with yes.
Now it will work until the host is reinstalled or its hostkey changes
otherwise.

You can suppress this question if you set the StrictHostKeyChecking to no
either in your /etc/ssh/ssh_config or if you give this option to ssh. I made
a patch fot check_by_ssh.c which adds the possibility to call ssh with such
an option.

qqnagio at lt0073:~> check_by_ssh -H siapp11 -o 'StrictHostKeyChecking =no' -C
'nrpe/libexec/check_dummy 0'
Warning: Permanently added 'siapp11' (RSA) to the list of known hosts.

Unfortunately you get this warning if you call the patches check_by_ssh for
the first time. To prevent this i also added a '-q' option, which tells ssh
to suppress warning and diagnostic messages.

qqnagio at lt0073:~> check_by_ssh -H siapp11 -o 'StrictHostKeyChecking =no' -q
-C 'nrpe/libexec/check_dummy 0'
OK

Now check_by_ssh no longer cares for inconsistencies in your known_hosts
files. Keep in mind, that this makes you vulnerable to trojan horse attacks.
Do not give secret information to the -a parameter.

Greetings from Munich,
Gerhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_by_ssh.c-extraoptions.patch
Type: application/octet-stream
Size: 992 bytes
Desc: not available
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20060418/e6bf0364/attachment.obj>

Previous message: [Nagiosplug-devel] Patch for check_snmp for SNMPv3 contexts
Next message: [Nagiosplug-devel] [ nagiosplug-Patches-1472491 ] extra options for check_by_ssh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list