[Nagiosplug-devel] Restricting Nagios' SSH access (was: Re: NRPE Authentication/Authorization?? DEVS PLEASE READ)

Mike Gerber mgerber at leitwerk.de
Tue Jan 8 21:00:27 CET 2008

* Florian Gleixner schrieb:
> > Is there any chance we can have authentication added to NRPE like we do 
> > with NSCA where you must have at the very least a shared secret?
> I vote for this too. check_by_ssh can be an alternative sometimes, but 
> sometimes it is not desireable to have the nagios server full ssh access 
> to the monitored machine.

You don't need full SSH access. You need to be able to execute the
Nagios plugins, let's say they're located in /usr/lib/nagios/plugins/:

# cat /home/nagios/.ssh/authorized_keys 
command="/usr/bin/nagios-ssh-commands",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAA[...]Tvj6wQ== nagios at nagios-server

# cat /usr/bin/nagios-ssh-commands 
logtag=`basename $0`

if echo "$SSH_ORIGINAL_COMMAND" | egrep -q "^/usr/lib/nagios/plugins/[a-zA-Z0-9\.:,%/_ -]+$"; then
  logger -t "$logtag" "Allowing command \"$SSH_ORIGINAL_COMMAND\"" 
  logger -t "$logtag" "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\"" 
  echo "ALERT: NOT allowing command \"$SSH_ORIGINAL_COMMAND\""
  exit 2


Mike Gerber                             
Management Internet/Security Development

LEITWERK GmbH                               http://www.leitwerk.de
Im Ettenbach 13a                            Fon: +49 7805 918 0
77767 Appenweier                            Fax: +49 7805 918 200
Unternehmensform:               Gesellschaft mit beschr. Haftung
Firmensitz:                     77767 Appenweier-Urloffen
Eingetragen im Handelsregister: AG Freiburg i.Br., HRB 472015
Geschäftsführer:                Martin Foshag, Benoit Girerd
USt-IdNr.:                      DE 1422 18361

More information about the Devel mailing list