check_by_ssh: Ignore output on stderr by default

check_by_ssh no longer returns UNKNOWN if ssh(1) returns data on stderr. But it can be enforced again by the new "--unknown-on-stderr" option. --- The default logic of check_by_ssh results in an UNKNOWN state if the ssh(1) process produces output on stderr. Using the "--skip-stderr=[n]" option allows ignoring a certain amount of lines or disabling this check altogether. Furthermore, passing the "--warn-on-stderr" option reduces the exit code to WARNING. The "--help" output does not document this behavior, only states that "--warn-on-stderr" will result in the WARNING, but does not mention the UNKNOWN by default. The man page of ssh(1) mentions that debug information is logged to stderr. This conflicts with the described logic, resulting in check_by_ssh to go UNKNOWN, unless additional options are set. Starting with OpenSSH version 10.1, ssh(1) will report warnings to stderr if the opposite server does not support post-quantum cryptography, <https://www.openssh.com/pq.html>. This change, slowly being rolled out throughout the next months/years, might result in mass-breakages of check_by_ssh. By introducing a new "--unknown-on-stderr" option, enforcing the prior default logic of an UNKNOWN state for data on stderr, and ignoring output on stderr by default, check_by_ssh will continue to work. One might even argue that this change converges actual implementation and the documented behavior, as argued above. --- $ ssh example '/usr/lib/nagios/plugins/check_dummy 0 demo' ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html OK: demo $ echo $? 0 $ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo' OK: demo $ echo $? 0 $ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo' --warn-on-stderr Remote command execution failed: ** WARNING: connection is not using a post-quantum key exchange algorithm. $ echo $? 1 $ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo' --unknown-on-stderr Remote command execution failed: ** WARNING: connection is not using a post-quantum key exchange algorithm. $ echo $? 3 --- Fixes #2147.
author: Alvar Penning <post@0x21.biz> 2025-09-15 22:20:08 +0200
committer: Alvar Penning <post@0x21.biz> 2025-09-15 22:20:08 +0200
commit: 4b3f684d33af7459024011a06704cf4ca85dd0a3 (patch)
tree: 6f0d05fb8c21e1a920a143732166977871322b54
parent: 601a48a63e745817cf2a4c7f3ca526e393dd3fb8 (diff)
download: monitoring-plugins-4b3f684d33af7459024011a06704cf4ca85dd0a3.tar.gz
2 files changed, 17 insertions, 8 deletions
diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
index 74b7a46f..a43c0d34 100644
--- a/plugins/check_by_ssh.c
+++ b/plugins/check_by_ssh.c
@@ -119,13 +119,14 @@ int main(int argc, char **argv) {
                skip_stderr = config.skip_stderr;
        }
-        /* UNKNOWN or worse if (non-skipped) output found on stderr */
+        /* Allow UNKNOWN or WARNING state for (non-skipped) output found on stderr */
-        if (chld_err.lines > (size_t)skip_stderr) {
+        if (chld_err.lines > (size_t)skip_stderr && (config.unknown_on_stderr || config.warn_on_stderr)) {
                printf(_("Remote command execution failed: %s\n"), chld_err.line[skip_stderr]);
-                if (config.warn_on_stderr) {
+                if (config.unknown_on_stderr) {
+                        return max_state_alt(result, STATE_UNKNOWN);
+                } else if (config.warn_on_stderr) {
                        return max_state_alt(result, STATE_WARNING);
                }
-                return max_state_alt(result, STATE_UNKNOWN);
        }
        /* this is simple if we're not supposed to be passive.
@@ -191,12 +192,13 @@ check_by_ssh_config_wrapper process_arguments(int argc, char **argv) {
                {"name", required_argument, 0, 'n'},
                {"services", required_argument, 0, 's'},
                {"identity", required_argument, 0, 'i'},
-                {"user", required_argument, 0, 'u'},
+                {"user", required_argument, 0, 'u'}, /* backwards compatibility */
                {"logname", required_argument, 0, 'l'},
                {"command", required_argument, 0, 'C'},
                {"skip", optional_argument, 0, 'S'}, /* backwards compatibility */
                {"skip-stdout", optional_argument, 0, 'S'},
                {"skip-stderr", optional_argument, 0, 'E'},
+                {"unknown-on-stderr", no_argument, 0, 'e'},
                {"warn-on-stderr", no_argument, 0, 'W'},
                {"proto1", no_argument, 0, '1'},
                {"proto2", no_argument, 0, '2'},
@@ -341,6 +343,9 @@ check_by_ssh_config_wrapper process_arguments(int argc, char **argv) {
                                result.config.skip_stderr = atoi(optarg);
                        }
                        break;
+                case 'e': /* exit with unknown if there is an output on stderr */
+                        result.config.unknown_on_stderr = true;
+                        break;
                case 'W': /* exit with warning if there is an output on stderr */
                        result.config.warn_on_stderr = true;
                        break;
@@ -468,8 +473,10 @@ void print_help(void) {
        printf("    %s\n", _("Ignore all or (if specified) first n lines on STDOUT [optional]"));
        printf(" %s\n", "-E, --skip-stderr[=n]");
        printf("    %s\n", _("Ignore all or (if specified) first n lines on STDERR [optional]"));
-        printf(" %s\n", "-W, --warn-on-stderr]");
+        printf(" %s\n", "-e, --unknown-on-stderr");
-        printf("    %s\n", _("Exit with an warning, if there is an output on STDERR"));
+        printf("    %s\n", _("Exit with UNKNOWN, if there is output on STDERR"));
+        printf(" %s\n", "-W, --warn-on-stderr");
+        printf("    %s\n", _("Exit with WARNING, if there is output on STDERR"));
        printf(" %s\n", "-f");
        printf("    %s\n", _("tells ssh to fork rather than create a tty [optional]. This will always "
                                                 "return OK if ssh is executed"));
@@ -522,7 +529,7 @@ void print_help(void) {
 void print_usage(void) {
        printf("%s\n", _("Usage:"));
        printf(" %s -H <host> -C <command> [-fqvU] [-1|-2] [-4|-6]\n"
-                   "       [-S [lines]] [-E [lines]] [-W] [-t timeout] [-i identity]\n"
+                   "       [-S [lines]] [-E [lines]] [-e|-W] [-t timeout] [-i identity]\n"
                   "       [-l user] [-n name] [-s servicelist] [-O outputfile]\n"
                   "       [-p port] [-o ssh-option] [-F configfile]\n",
                   progname);
diff --git a/plugins/check_by_ssh.d/config.h b/plugins/check_by_ssh.d/config.h
index 05435def..0e4b56d4 100644
--- a/plugins/check_by_ssh.d/config.h
+++ b/plugins/check_by_ssh.d/config.h
@@ -21,6 +21,7 @@ typedef struct {
        command_construct cmd;
        bool unknown_timeout;
+        bool unknown_on_stderr;
        bool warn_on_stderr;
        int skip_stdout;
        int skip_stderr;
@@ -46,6 +47,7 @@ check_by_ssh_config check_by_ssh_config_init() {
                        },
                .unknown_timeout = false,
+                .unknown_on_stderr = false,
                .warn_on_stderr = false,
                .skip_stderr = 0,
                .skip_stdout = 0,
author	Alvar Penning <post@0x21.biz>	2025-09-15 22:20:08 +0200
committer	Alvar Penning <post@0x21.biz>	2025-09-15 22:20:08 +0200
commit	4b3f684d33af7459024011a06704cf4ca85dd0a3 (patch)
tree	6f0d05fb8c21e1a920a143732166977871322b54
parent	601a48a63e745817cf2a4c7f3ca526e393dd3fb8 (diff)
download	monitoring-plugins-4b3f684d33af7459024011a06704cf4ca85dd0a3.tar.gz