All that’s really necessary, is for ‘nagios’ to have a set of public/private keys, and that the nagios public key is copied to the remotehost, and appended
to the remoteuser’s authorized_keys file. (Just like your root account’s public key has already been appended to remoteuser’s authorized_keys file.)
If the ‘nagios’ account doesn’t have id_dsa or id_rsa files, run ‘ssh-keygen’ to create them. Run “ssh-keygen –t rsa” or “ssh-keygen –t dsa” to create the
corresponding private and public keys.
Then switch to root, and use scp to copy the ~/nagios/.ssh/id_*.pub files to /tmp or /var/tmp on the remote host, and then administrators of the remotehost,
to take the files you copied to their host, and append them to the ‘remoteusers” authorized_keys file.
···
From: Francisco Gomez Leo [mailto:pacogomezleo@gmail.com]
Sent: Thursday, October 24, 2013 7:07 AM
To: Stier, Matthew
Cc: Marcel Schulte; checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] Problem with script check_by_ssh … (Return code of 255 is out of bounds)
To simplify things, have you tried running “ssh user@server date” from the root and nagios accounts?
**yes i tried, i could with root but with nagios user i cant log , allways ask me for the password… **
It looks like you simply need to setup the same credentials between nagios and user, as you already have setup for root and user.
Check root’s ~/.ssh directory for the files ‘authorized_keys’ and ‘id_*.pub’. The authorized keys are the public keys of other systems that the root account
has accumulated. The *.pub keys are root’s own public key. ** Yes i have the autoriced keys file but inside them the user that appears is root… **
If you scroll through root’s ‘authorized_keys’ file you should find one for ‘user@server’. You should be able to copy it to nagios’ ‘authorized_keys’ file.
Next you need to look in nagios’ ~/.ssh file for a ‘*.pub’ file. If on isn’t present, you will need to use the ssh keygen program as ‘nagios’ to create one.
(I’d use the same type (rsa, dsa) as root, since you know that ‘server’ can handle it.)
Once you have a set of key generated for nagios, the issue will be for your customer to add nagios’ public key to ‘user’s ‘authorized_keys’. That should fix
your problem.
In summary, you have proven that ‘root’ and ‘user’ have shared public keys. Now you need to do the same for ‘nagios’ and ‘user’.
2013/10/24 Stier, Matthew Matthew.Stier@us.fujitsu.com
To simplify things, have you tried running “ssh user@server date” from the root and nagios accounts?
It looks like you simply need to setup the same credentials between nagios and user, as you already
have setup for root and user.
Check root’s ~/.ssh directory for the files ‘authorized_keys’ and ‘id_*.pub’. The authorized keys
are the public keys of other systems that the root account has accumulated. The *.pub keys are root’s own public key.
If you scroll through root’s ‘authorized_keys’ file you should find one for ‘user@server’. You
should be able to copy it to nagios’ ‘authorized_keys’ file.
Next you need to look in nagios’ ~/.ssh file for a ‘*.pub’ file. If on isn’t present, you will
need to use the ssh keygen program as ‘nagios’ to create one. (I’d use the same type (rsa, dsa) as root, since you know that ‘server’ can handle it.)
Once you have a set of key generated for nagios, the issue will be for your customer to add nagios’
public key to ‘user’s ‘authorized_keys’. That should fix your problem.
In summary, you have proven that ‘root’ and ‘user’ have shared public keys. Now you need to do the
same for ‘nagios’ and ‘user’.
From:
checkmk-en-bounces@lists.mathias-kettner.de [mailto:checkmk-en-bounces@lists.mathias-kettner.de]
On Behalf Of Francisco Gomez Leo
Sent: Thursday, October 24, 2013 2:57 AM
To: Marcel Schulte
Cc: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] Problem with script check_by_ssh … (Return code of 255 is out of bounds)
First of all , thanks for your answer i tried to prove only the step "1 .) connect to terminal of monitoring server
and issue this as root
user (effectively executes command as nagios user, just like nagios
itself)" because the remote machine is a machine´s costumer so:
su nagios -c ‘/usr/local/lib/nagios/plugins/check_by_ssh -H ipremoteserver -l userremoteserver -C /home/nagios/hardware.sh -E’
And when I execute that the command returns nothing , however when i have proved with that:
su root -c ‘/usr/local/lib/nagios/plugins/check_by_ssh -H ipremoteserver -l userremoteserver -C /home/nagios/hardware.sh -E’
Works perfectly , returns “OK - Hardware operating normally”. So the problem is the user , but i dont have a clue to continues … maybe create a nagios user in the remotemachine
like that:
** [Root @ remotemachine ~] # useradd nagios -m-d / home /
icinga ****
[root @ remotemachine ~] # su - nagios
[nagios @ remotemachine ~] $ mkdir ssh
[nagios @ remotemachine ~] $ touch authorized_keys
[nagios @ remotemachine ~] $ mkdir / home / nagios / plugins**
And then :
Isn´t it ?
Best regards …
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
1 → In the remoteserver, which user I have to create user with that
permission to run the script that I require. (nagios user)
Depends on what your run script does - this can’t be known to anyone
on the list. All I can say is it’s the user configured as “remoteuser”
in your nagios command.
2 → And in my monitoring machine what can i do to to fix the problem,
because i cant execute the command like nagios user.
If your remotehost is monitored by cmk agent, too, take your remote
script as local check instead of using check_by_ssh.
If the host is not monitored via cmk agent and you’re stuck to
check_by_ssh do these steps to check if command can be used and
probably fix if not:
1.) connect to terminal of monitoring server and issue this as root
user (effectively executes command as nagios user, just like nagios
itself):
sudo -u nagios ‘/usr/local/lib/nagios/plugins/check_by_ssh -H
“ipremoteserver” -l “userremoteserver” -C /home/nagios/hardware.sh -E’
2.) if command fails because a password is needed do this (in short,
should you not be able to understand what to do you should search the
web on how to do this, it’s totally out of scope of this list or cmk):
* create rsa keypair for nagios user on monitoring server
* append pub part to ~/.ssh/authorized_keys of remoteuser on remotehost
3.) repeat step 1 - this should work now.
Regards,
Marcel
best regards
2013/10/23 Francisco Gomez Leo pacogomezleo@gmail.com
the question is that i cant execute the command like nagios user , because
when i do su - nagios nothing happens , i still be a root user. How can i
check it , the user can not be use to access by ssh, so …
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
What exactly fails? What is the command output?
We can’t help without getting such infomation. Just ‘it fails’ is by far
not enough…
sent from my SGS3
Am 23.10.2013 16:16 schrieb “Francisco Gomez Leo”
pacogomezleo@gmail.com:
I cant , but of course that is the fail , how can i fix them ?
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
I always said it’s the user!
Connect to your monitoring server, become root and change user to the
nagios one:
su -
…then issue the command and watch it failing.
Marcel
sent from my SGS3
Am 23.10.2013 15:51 schrieb “Francisco Gomez Leo”
pacogomezleo@gmail.com:
How can i do it , my nagios user dosent have permision to access by
ssh in my nagios server. But i mean that the problem is the user because
when I use the terminal i always use root , and when nagios execute the
pluging maybe use the use nagios …
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
Francisco,
Open a terminal and execute the command as Nagios user. Does that
work?
Regards,
Marcel
sent from my SGS3
Am 23.10.2013 15:29 schrieb “Francisco Gomez Leo”
pacogomezleo@gmail.com:
How can i get that the string that it returns can i show it in my
checkmk inteface , because always show me (Return code of 255 is out of
bounds) CRIT
2013/10/23 Francisco Gomez Leo pacogomezleo@gmail.com
but i connect perfectly …
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
If using root user the public part of root’s cert is used for the
connection. Nagios most likely does not run as root so you must
setup
Nagios’ user’s pub part for the connection and it should work.
HTH,
Marcel
2013/10/23 Francisco Gomez Leo pacogomezleo@gmail.com:
when i execute the command by terminal , i used root user ,
/usr/local/lib/nagios/plugins/check_by_ssh -H “ipremoteserver”
-l
“userremoteserver” -C /home/nagios/hardware.sh -E the
“userremoteserver” has
access with rsa certificates and no password is needed , if he
dont the
command wouldn´t works in the terminal of my monitoringserver.
Thanks for the answer
2013/10/23 Marcel Schulte schulte.marcel@gmail.com
Hi Francisco,
when you execute the command in terminal - as which user do you
do
that? Nagios executes all plugins as the user it runs as…
Looks as if the script does not need a password for the ssh
user so
this should work with rsa certificates or similar. The used
user is
very important then as the public cert of the user is taken to
authenticate.
HTH,
Marcel
2013/10/23 Francisco Gomez Leo pacogomezleo@gmail.com:
Hi , i used check_by_ssh to execute another script in a
remote server,
this
works when i execute the command in the shell but it dosent
works when I
tried to used it with check_mk, that script always return
(Return code
of
255 is out of bounds) “critical” , in the check_mk
interface …
define command{ command_name check_nas_server command_line
/usr/local/lib/nagios/plugins/check_by_ssh -H
“ipremoteserver” -l
“userremoteserver” -C /home/nagios/hardware.sh -E }
it should be return 0 or 1 , and a echo message …
Could you help me ? , the userremoteserver has nopassword
access to the
remote server , and is correct.
thank regards
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en