Access agent over SSH

adamwms · May 6, 2021, 5:12pm

I have installed check-mk-agent_2.0.0p3-1_all.deb on an old Debian 7 test VM. I skipped xinet.d set up as I intend to access via SSH instead.

I then followed “6.3. Invoking over SSH” instructions from The agent for Linux in detail

I created key pair without “-t ed25519” due to seeing: userauth_pubkey: unsupported public key algorithm: ssh-ed25519 [preauth]

So a pair of standard RSA keys (id_rsa, id_rsa.pub) was created instead (no passphrase).

On Check MK server the keys are located in both:

/home/user/.ssh/
/root/.ssh/

On the target client I’ve added public one to /root/.ssh/authorized_keys

Ownership and permissions are correct.

I can connect from Check MK server as both a regular user and root:

$ ssh root@testvm
<<<check_mk>>>
Version: 2.0.0p3
AgentOS: linux
Hostname: testvm
AgentDirectory: /etc/check_mk
DataDirectory: /var/lib/check_mk_agent
SpoolDirectory: /var/lib/check_mk_agent/spool
PluginsDirectory: /usr/lib/check_mk_agent/plugins
LocalDirectory: /usr/lib/check_mk_agent/local
(…)

ssh root@testvm

<<<check_mk>>>
Version: 2.0.0p3
AgentOS: linux
Hostname: testvm
AgentDirectory: /etc/check_mk
DataDirectory: /var/lib/check_mk_agent
SpoolDirectory: /var/lib/check_mk_agent/spool
PluginsDirectory: /usr/lib/check_mk_agent/plugins
LocalDirectory: /usr/lib/check_mk_agent/local
(…)

I went to Agents → Other integrations → Custom integrations → Individual program call instead of agent access

Added rule:

Description: CUSTOM agent over SSH
Command line to execute: ssh -i $OMD_ROOT/.ssh/id_rsa -T root@$HOSTADDRESS
Folder: Main directory
Host labels has AGENT:SSH

The rest left at defaults.

I went to Setup → Agents → Access to Agents → TCP port for connection to Checkmk agent

Added rule:

Description: CUSTOM agent over SSH
TCP port for connection to Checkmk agent: 22
Folder: Main directory
Host labels has AGENT:SSH

Finally: Host → testvm → Lables → AGENT:SSH (added)

Selecting: Data sources → Checkmk agent:

Normal Checkmk agent, or special agent if configured → Save & go to connection tests → Agent → Program ‘5’ not found (exit code 127)
Normal Checkmk agent, all configured special agents → Save & go to connection tests → Agent → Program ‘5’ not found (exit code 127)
No Checkmk agent, all configured special agents → Save & go to connection tests → Agent → the field goeas solid green and blank, no messages
No agent → Save & go to connection tests → Agent → the field goeas solid green and blank, no messages

Interestingly on connection test page → Options → Checkmk Agent Port is still showing the default 6556 instead of 22.
When I click on “Rules” next to it I see my rule created earlier.

Why is it not working? What am I missing / doing wrong?

kdeutsch · May 6, 2021, 6:38pm

Hi,
have you created the keypair as site user?

The command line to execute should look like this:

ssh root@$HOSTADDRESS$ /usr/bin/check_mk_agent

There’s no need to change the TCP port for the agent connection.

Karl

adamwms · May 7, 2021, 2:48pm

Thanks Karl.

The key pair was in place for root and the user I used for installation but not the site user indeed.

The bad news for me is SSH monitoring only seem to work with id_ed25519 and id_ed25519.pub key pair.

Many of my clients refuse it by default with:

userauth_pubkey: unsupported public key algorithm: ssh-ed25519 [preauth]

Do you know if and where I could switch to id_rsa and id_rsa.pub (RSA format)?

kdeutsch · May 7, 2021, 3:26pm

Hi,
this depends on the setting of your openssh-servers and has nothing to do with Checkmk.
You configure the support in the configuration file of your ssh-servers.

Karl

adamwms · May 7, 2021, 3:58pm

All my servers accept the default id_rsa.
Rather than changing settings in tens of places perhaps I could change it in just one?
Meaning convince site user on Check MK server to use id_rsa instead of id_ed25519.
Does my question make more sense now?

kdeutsch · May 7, 2021, 4:49pm

Hi,
which files do you have in the directory /opt/omd/sites/YOURSITE/.ssh?
If you have the files id_rsa.pub, id_rsa and id_ed25519.pub and id_ed25519 - then delete the id_ed25519-files. Then your id_rsa-files will be used for the connection.

Karl

adamwms · May 10, 2021, 2:19pm

Yes, that worked.

Even though all monitors are running fine agent connection test returns:

Program '5' not found (exit code 127)

That’s why when I tried id_rsa key pair I assumed it wasn’t working after seeing the message.

Is the above error expected with command="/usr/bin/check_mk_agent" restriction and can be ignored?

_rb · May 10, 2021, 3:26pm

this is a bug and will be fixed with this werk

system · May 12, 2022, 4:37pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.