diff options
| author | Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> | 2025-08-11 21:54:05 +0200 |
|---|---|---|
| committer | Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> | 2025-08-11 21:54:05 +0200 |
| commit | 7382fa90f84d38cd2ae08c880e9ed6a4ad644d35 (patch) | |
| tree | e367f424cfb94bd6730e196916a96a9725e61c27 /plugins/check_ssh.c | |
| parent | fb39f96ac6f72bb56d17f3e8694134dfea9186e9 (diff) | |
| parent | 1dfb5a0c10881b43cb60cf93bab63648c61201b5 (diff) | |
| download | monitoring-plugins-7382fa90f84d38cd2ae08c880e9ed6a4ad644d35.tar.gz | |
Merge branch 'master' into refactor/check_users
Diffstat (limited to 'plugins/check_ssh.c')
| -rw-r--r-- | plugins/check_ssh.c | 89 |
1 files changed, 52 insertions, 37 deletions
diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c index 9d0d7cde..f6c8d551 100644 --- a/plugins/check_ssh.c +++ b/plugins/check_ssh.c | |||
| @@ -57,7 +57,8 @@ static process_arguments_wrapper process_arguments(int /*argc*/, char ** /*argv* | |||
| 57 | static void print_help(void); | 57 | static void print_help(void); |
| 58 | void print_usage(void); | 58 | void print_usage(void); |
| 59 | 59 | ||
| 60 | static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_version, char *remote_protocol); | 60 | static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_version, |
| 61 | char *remote_protocol); | ||
| 61 | 62 | ||
| 62 | int main(int argc, char **argv) { | 63 | int main(int argc, char **argv) { |
| 63 | setlocale(LC_ALL, ""); | 64 | setlocale(LC_ALL, ""); |
| @@ -85,7 +86,8 @@ int main(int argc, char **argv) { | |||
| 85 | alarm(socket_timeout); | 86 | alarm(socket_timeout); |
| 86 | 87 | ||
| 87 | /* ssh_connect exits if error is found */ | 88 | /* ssh_connect exits if error is found */ |
| 88 | ssh_connect(&overall, config.server_name, config.port, config.remote_version, config.remote_protocol); | 89 | ssh_connect(&overall, config.server_name, config.port, config.remote_version, |
| 90 | config.remote_protocol); | ||
| 89 | 91 | ||
| 90 | alarm(0); | 92 | alarm(0); |
| 91 | 93 | ||
| @@ -96,19 +98,20 @@ int main(int argc, char **argv) { | |||
| 96 | 98 | ||
| 97 | /* process command-line arguments */ | 99 | /* process command-line arguments */ |
| 98 | process_arguments_wrapper process_arguments(int argc, char **argv) { | 100 | process_arguments_wrapper process_arguments(int argc, char **argv) { |
| 99 | static struct option longopts[] = {{"help", no_argument, 0, 'h'}, | 101 | static struct option longopts[] = { |
| 100 | {"version", no_argument, 0, 'V'}, | 102 | {"help", no_argument, 0, 'h'}, |
| 101 | {"host", required_argument, 0, 'H'}, /* backward compatibility */ | 103 | {"version", no_argument, 0, 'V'}, |
| 102 | {"hostname", required_argument, 0, 'H'}, | 104 | {"host", required_argument, 0, 'H'}, /* backward compatibility */ |
| 103 | {"port", required_argument, 0, 'p'}, | 105 | {"hostname", required_argument, 0, 'H'}, |
| 104 | {"use-ipv4", no_argument, 0, '4'}, | 106 | {"port", required_argument, 0, 'p'}, |
| 105 | {"use-ipv6", no_argument, 0, '6'}, | 107 | {"use-ipv4", no_argument, 0, '4'}, |
| 106 | {"timeout", required_argument, 0, 't'}, | 108 | {"use-ipv6", no_argument, 0, '6'}, |
| 107 | {"verbose", no_argument, 0, 'v'}, | 109 | {"timeout", required_argument, 0, 't'}, |
| 108 | {"remote-version", required_argument, 0, 'r'}, | 110 | {"verbose", no_argument, 0, 'v'}, |
| 109 | {"remote-protocol", required_argument, 0, 'P'}, | 111 | {"remote-version", required_argument, 0, 'r'}, |
| 110 | {"output-format", required_argument, 0, output_format_index}, | 112 | {"remote-protocol", required_argument, 0, 'P'}, |
| 111 | {0, 0, 0, 0}}; | 113 | {"output-format", required_argument, 0, output_format_index}, |
| 114 | {0, 0, 0, 0}}; | ||
| 112 | 115 | ||
| 113 | process_arguments_wrapper result = { | 116 | process_arguments_wrapper result = { |
| 114 | .config = check_ssh_config_init(), | 117 | .config = check_ssh_config_init(), |
| @@ -228,7 +231,8 @@ process_arguments_wrapper process_arguments(int argc, char **argv) { | |||
| 228 | * | 231 | * |
| 229 | *-----------------------------------------------------------------------*/ | 232 | *-----------------------------------------------------------------------*/ |
| 230 | 233 | ||
| 231 | int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_version, char *desired_remote_protocol) { | 234 | int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_version, |
| 235 | char *desired_remote_protocol) { | ||
| 232 | struct timeval tv; | 236 | struct timeval tv; |
| 233 | gettimeofday(&tv, NULL); | 237 | gettimeofday(&tv, NULL); |
| 234 | 238 | ||
| @@ -238,32 +242,34 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 238 | mp_subcheck connection_sc = mp_subcheck_init(); | 242 | mp_subcheck connection_sc = mp_subcheck_init(); |
| 239 | if (result != STATE_OK) { | 243 | if (result != STATE_OK) { |
| 240 | connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); | 244 | connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); |
| 241 | xasprintf(&connection_sc.output, "Failed to establish TCP connection to Host %s and Port %d", haddr, hport); | 245 | xasprintf(&connection_sc.output, |
| 246 | "Failed to establish TCP connection to Host %s and Port %d", haddr, hport); | ||
| 242 | mp_add_subcheck_to_check(overall, connection_sc); | 247 | mp_add_subcheck_to_check(overall, connection_sc); |
| 243 | return result; | 248 | return result; |
| 244 | } | 249 | } |
| 245 | 250 | ||
| 246 | char *output = (char *)calloc(BUFF_SZ + 1, sizeof(char)); | 251 | char *output = (char *)calloc(BUFF_SZ + 1, sizeof(char)); |
| 247 | char *buffer = NULL; | 252 | char *buffer = NULL; |
| 248 | size_t recv_ret = 0; | 253 | ssize_t recv_ret = 0; |
| 249 | char *version_control_string = NULL; | 254 | char *version_control_string = NULL; |
| 250 | size_t byte_offset = 0; | 255 | size_t byte_offset = 0; |
| 251 | while ((version_control_string == NULL) && | 256 | while ((version_control_string == NULL) && |
| 252 | (recv_ret = recv(socket, output + byte_offset, (unsigned long)(BUFF_SZ - byte_offset), 0) > 0)) { | 257 | (recv_ret = recv(socket, output + byte_offset, (unsigned long)(BUFF_SZ - byte_offset), |
| 258 | 0) > 0)) { | ||
| 253 | 259 | ||
| 254 | if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/ | 260 | if (strchr(output, '\n')) { /* we've got at least one full line, start parsing*/ |
| 255 | byte_offset = 0; | 261 | byte_offset = 0; |
| 256 | 262 | ||
| 257 | char *index = NULL; | 263 | char *index = NULL; |
| 258 | unsigned long len = 0; | ||
| 259 | while ((index = strchr(output + byte_offset, '\n')) != NULL) { | 264 | while ((index = strchr(output + byte_offset, '\n')) != NULL) { |
| 260 | /*Partition the buffer so that this line is a separate string, | 265 | /*Partition the buffer so that this line is a separate string, |
| 261 | * by replacing the newline with NUL*/ | 266 | * by replacing the newline with NUL*/ |
| 262 | output[(index - output)] = '\0'; | 267 | output[(index - output)] = '\0'; |
| 263 | len = strlen(output + byte_offset); | 268 | size_t len = strlen(output + byte_offset); |
| 264 | 269 | ||
| 265 | if ((len >= 4) && (strncmp(output + byte_offset, "SSH-", 4) == 0)) { | 270 | if ((len >= 4) && (strncmp(output + byte_offset, "SSH-", 4) == 0)) { |
| 266 | /*if the string starts with SSH-, this _should_ be a valid version control string*/ | 271 | /*if the string starts with SSH-, this _should_ be a valid version control |
| 272 | * string*/ | ||
| 267 | version_control_string = output + byte_offset; | 273 | version_control_string = output + byte_offset; |
| 268 | break; | 274 | break; |
| 269 | } | 275 | } |
| @@ -273,21 +279,23 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 273 | } | 279 | } |
| 274 | 280 | ||
| 275 | if (version_control_string == NULL) { | 281 | if (version_control_string == NULL) { |
| 276 | /* move unconsumed data to beginning of buffer, null rest */ | 282 | /* move unconsumed data to beginning of buffer */ |
| 277 | memmove((void *)output, (void *)(output + byte_offset + 1), BUFF_SZ - len + 1); | 283 | memmove((void *)output, (void *)(output + byte_offset), BUFF_SZ - byte_offset); |
| 278 | memset(output + byte_offset + 1, 0, BUFF_SZ - byte_offset + 1); | ||
| 279 | 284 | ||
| 280 | /*start reading from end of current line chunk on next recv*/ | 285 | /*start reading from end of current line chunk on next recv*/ |
| 281 | byte_offset = strlen(output); | 286 | byte_offset = strlen(output); |
| 287 | |||
| 288 | /* NUL the rest of the buffer */ | ||
| 289 | memset(output + byte_offset, 0, BUFF_SZ - byte_offset); | ||
| 282 | } | 290 | } |
| 283 | } else { | 291 | } else { |
| 284 | byte_offset += recv_ret; | 292 | byte_offset += (size_t)recv_ret; |
| 285 | } | 293 | } |
| 286 | } | 294 | } |
| 287 | 295 | ||
| 288 | if (recv_ret < 0) { | 296 | if (recv_ret < 0) { |
| 289 | connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); | 297 | connection_sc = mp_set_subcheck_state(connection_sc, STATE_CRITICAL); |
| 290 | xasprintf(&connection_sc.output, "%s", "SSH CRITICAL - %s", strerror(errno)); | 298 | xasprintf(&connection_sc.output, "%s - %s", "SSH CRITICAL - ", strerror(errno)); |
| 291 | mp_add_subcheck_to_check(overall, connection_sc); | 299 | mp_add_subcheck_to_check(overall, connection_sc); |
| 292 | return OK; | 300 | return OK; |
| 293 | } | 301 | } |
| @@ -333,7 +341,8 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 333 | * "1.x" (e.g., "1.5" or "1.3")." | 341 | * "1.x" (e.g., "1.5" or "1.3")." |
| 334 | * - RFC 4253:5 | 342 | * - RFC 4253:5 |
| 335 | */ | 343 | */ |
| 336 | char *ssh_server = ssh_proto + strspn(ssh_proto, "0123456789.") + 1; /* (+1 for the '-' separating protoversion from softwareversion) */ | 344 | char *ssh_server = ssh_proto + strspn(ssh_proto, "0123456789.") + |
| 345 | 1; /* (+1 for the '-' separating protoversion from softwareversion) */ | ||
| 337 | 346 | ||
| 338 | /* If there's a space in the version string, whatever's after the space is a comment | 347 | /* If there's a space in the version string, whatever's after the space is a comment |
| 339 | * (which is NOT part of the server name/version)*/ | 348 | * (which is NOT part of the server name/version)*/ |
| @@ -345,13 +354,15 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 345 | mp_subcheck protocol_validity_sc = mp_subcheck_init(); | 354 | mp_subcheck protocol_validity_sc = mp_subcheck_init(); |
| 346 | if (strlen(ssh_proto) == 0 || strlen(ssh_server) == 0) { | 355 | if (strlen(ssh_proto) == 0 || strlen(ssh_server) == 0) { |
| 347 | protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_CRITICAL); | 356 | protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_CRITICAL); |
| 348 | xasprintf(&protocol_validity_sc.output, "Invalid protocol version control string %s", version_control_string); | 357 | xasprintf(&protocol_validity_sc.output, "Invalid protocol version control string %s", |
| 358 | version_control_string); | ||
| 349 | mp_add_subcheck_to_check(overall, protocol_validity_sc); | 359 | mp_add_subcheck_to_check(overall, protocol_validity_sc); |
| 350 | return OK; | 360 | return OK; |
| 351 | } | 361 | } |
| 352 | 362 | ||
| 353 | protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_OK); | 363 | protocol_validity_sc = mp_set_subcheck_state(protocol_validity_sc, STATE_OK); |
| 354 | xasprintf(&protocol_validity_sc.output, "Valid protocol version control string %s", version_control_string); | 364 | xasprintf(&protocol_validity_sc.output, "Valid protocol version control string %s", |
| 365 | version_control_string); | ||
| 355 | mp_add_subcheck_to_check(overall, protocol_validity_sc); | 366 | mp_add_subcheck_to_check(overall, protocol_validity_sc); |
| 356 | 367 | ||
| 357 | ssh_proto[strspn(ssh_proto, "0123456789. ")] = 0; | 368 | ssh_proto[strspn(ssh_proto, "0123456789. ")] = 0; |
| @@ -366,8 +377,8 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 366 | if (desired_remote_version && strcmp(desired_remote_version, ssh_server)) { | 377 | if (desired_remote_version && strcmp(desired_remote_version, ssh_server)) { |
| 367 | mp_subcheck remote_version_sc = mp_subcheck_init(); | 378 | mp_subcheck remote_version_sc = mp_subcheck_init(); |
| 368 | remote_version_sc = mp_set_subcheck_state(remote_version_sc, STATE_CRITICAL); | 379 | remote_version_sc = mp_set_subcheck_state(remote_version_sc, STATE_CRITICAL); |
| 369 | xasprintf(&remote_version_sc.output, _("%s (protocol %s) version mismatch, expected '%s'"), ssh_server, ssh_proto, | 380 | xasprintf(&remote_version_sc.output, _("%s (protocol %s) version mismatch, expected '%s'"), |
| 370 | desired_remote_version); | 381 | ssh_server, ssh_proto, desired_remote_version); |
| 371 | close(socket); | 382 | close(socket); |
| 372 | mp_add_subcheck_to_check(overall, remote_version_sc); | 383 | mp_add_subcheck_to_check(overall, remote_version_sc); |
| 373 | return OK; | 384 | return OK; |
| @@ -385,11 +396,13 @@ int ssh_connect(mp_check *overall, char *haddr, int hport, char *desired_remote_ | |||
| 385 | 396 | ||
| 386 | if (desired_remote_protocol && strcmp(desired_remote_protocol, ssh_proto)) { | 397 | if (desired_remote_protocol && strcmp(desired_remote_protocol, ssh_proto)) { |
| 387 | protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_CRITICAL); | 398 | protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_CRITICAL); |
| 388 | xasprintf(&protocol_version_sc.output, _("%s (protocol %s) protocol version mismatch, expected '%s'"), ssh_server, ssh_proto, | 399 | xasprintf(&protocol_version_sc.output, |
| 389 | desired_remote_protocol); | 400 | _("%s (protocol %s) protocol version mismatch, expected '%s'"), ssh_server, |
| 401 | ssh_proto, desired_remote_protocol); | ||
| 390 | } else { | 402 | } else { |
| 391 | protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_OK); | 403 | protocol_version_sc = mp_set_subcheck_state(protocol_version_sc, STATE_OK); |
| 392 | xasprintf(&protocol_version_sc.output, "SSH server version: %s (protocol version: %s)", ssh_server, ssh_proto); | 404 | xasprintf(&protocol_version_sc.output, "SSH server version: %s (protocol version: %s)", |
| 405 | ssh_server, ssh_proto); | ||
| 393 | } | 406 | } |
| 394 | 407 | ||
| 395 | mp_add_subcheck_to_check(overall, protocol_version_sc); | 408 | mp_add_subcheck_to_check(overall, protocol_version_sc); |
| @@ -422,7 +435,8 @@ void print_help(void) { | |||
| 422 | printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); | 435 | printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); |
| 423 | 436 | ||
| 424 | printf(" %s\n", "-r, --remote-version=STRING"); | 437 | printf(" %s\n", "-r, --remote-version=STRING"); |
| 425 | printf(" %s\n", _("Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)")); | 438 | printf(" %s\n", |
| 439 | _("Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)")); | ||
| 426 | 440 | ||
| 427 | printf(" %s\n", "-P, --remote-protocol=STRING"); | 441 | printf(" %s\n", "-P, --remote-protocol=STRING"); |
| 428 | printf(" %s\n", _("Alert if protocol doesn't match expected protocol version (ex: 2.0)")); | 442 | printf(" %s\n", _("Alert if protocol doesn't match expected protocol version (ex: 2.0)")); |
| @@ -435,5 +449,6 @@ void print_help(void) { | |||
| 435 | 449 | ||
| 436 | void print_usage(void) { | 450 | void print_usage(void) { |
| 437 | printf("%s\n", _("Usage:")); | 451 | printf("%s\n", _("Usage:")); |
| 438 | printf("%s [-4|-6] [-t <timeout>] [-r <remote version>] [-p <port>] --hostname <host>\n", progname); | 452 | printf("%s [-4|-6] [-t <timeout>] [-r <remote version>] [-p <port>] --hostname <host>\n", |
| 453 | progname); | ||
| 439 | } | 454 | } |