I run my script from an installation server which then connects to the machine
being worked on and does whatever is needed (possibly including a reboot, or
restarting services), so I trust that installation server to talk to the
Icinga server with a scripted password.
If you want the machine which is actually being worked on to send the requests
to Icinga, though, then agreed, you want either a low-priviledge user, or else
a wrapper script on the Icinga server which can only do this function, and you
call that (eg: over SSH) from the machine being worked on, with its name as a
Then the Icinga password is only on the Icinga machine, and the wrapper script
ensures that this downtime stuff is the only thing that anyone who gets SSH
access to it can do.