Check_by_ssh for ASA

sricharan.rekanar · November 29, 2021, 10:18am

Hi,
I have tried check_by_ssh to login Cisco ASA. To get an output for specific command output. But it gives me output saying “CRITICAL - Plug-in timed out after 10 seconds”. Have tried extending the timeout to 60 secs, but no luck.
From Ubuntu machine I can login to the device using SSH without password. Please can you let me know if this plugin works for ssh into the Cisco ASA. If yes, is there anything am missing.
root@Test:/usr/lib/nagios/plugins# ssh root@192.168.56.103
Type help or ‘?’ for a list of available commands.
TEST-ASA2> exit

Logoff

rsx · November 29, 2021, 10:31am

Trying the plugin manually means executing as user root. Hence, the private key of user root is used for connecting via ssh. When icinga executes the plugin the user’s icinga or nagios (depending on your distribution) private key is used instead. Means you need to add icinga’s or nagios’ public key to your ASA.

sricharan.rekanar · November 29, 2021, 11:37am

Hi Roland,

 Thanks for prompt response, I have added Nagios and Icinga public key to ASA, but still no luck running the plugin.

oot@paymentsense-VirtualBox:/usr/lib/nagios/plugins# ./check_by_ssh -H 192.168.56.103 -C show ver
CRITICAL - Plug-in timed out after 10 seconds
root@paymentsense-VirtualBox:/usr/lib/nagios/plugins# ./check_by_ssh -H 192.168.56.103 -C show ver
CRITICAL - Plug-in timed out after 10 seconds
root@paymentsense-VirtualBox:/usr/lib/nagios/plugins#

################ ASA ####################
username icinga password 1tt8E/QirLFopdCy encrypted privilege 15
username icinga attributes
username nagios password 8P/ChtldXcW7xVYO encrypted privilege 15
username nagios attributes

root@paymentsense-VirtualBox:/usr/lib/nagios/plugins# ssh icinga@192.168.56.103
Type help or ‘?’ for a list of available commands.
TEST-ASA2> exit

Logoff

Connection to 192.168.56.103 closed.
root@paymentsense-VirtualBox:/usr/lib/nagios/plugins# ssh nagios@192.168.56.103
Type help or ‘?’ for a list of available commands.
TEST-ASA2> exit

Logoff

Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.
root@paymentsense-VirtualBox:/usr/lib/nagios/plugins#

rsx · November 29, 2021, 11:52am

I’d recommed to manually check the plugin as user icinga or nagios. To do so I always use

sudo -u nagios bash

to switch to icinga’s user and then try to login to the target node:

ssh < ip address >

You are trying the opposite way means login with root’s private key to icinga or nagios at your target.

sricharan.rekanar · November 29, 2021, 12:47pm

Am actually new to Linux and Icinga, not sure am posting correct output which you are referring, I have tried with both nagios and icinga, but still no luck.

icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ./check_by_ssh -H 192.168.56.103 -C show
icinga@192.168.56.103’s password:
CRITICAL - Plug-in timed out after 10 seconds

icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ssh icinga@192.168.56.103
icinga@192.168.56.103’s password:
Type help or ‘?’ for a list of available commands.
TEST-ASA2> exit

Logoff

Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.
icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$

#####################################################################
nagios@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ./check_by_ssh -H 192.168.56.103 -C show ver
Enter passphrase for key ‘/var/lib/nagios/.ssh/id_rsa’:
CRITICAL - Plug-in timed out after 10 seconds

nagios@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ssh 192.168.56.103
The authenticity of host ‘192.168.56.103 (192.168.56.103)’ can’t be established.
RSA key fingerprint is SHA256:7G9WRS6pyH7uq9iC/jTlbllm8CQXqp/NHv5pqeNq8gY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.56.103’ (RSA) to the list of known hosts.
nagios@192.168.56.103’s password:
Type help or ‘?’ for a list of available commands.
TEST-ASA2> en
Password: ********
TEST-ASA2# exit

Logoff

Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.

rsx · November 29, 2021, 12:51pm

Since the system ask you for a password icinga’s public key is missing at your ASA (or permissions are wrong).

sricharan.rekanar · November 30, 2021, 5:12am

I think permission is fixed, but still it says timeout.

icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ssh 192.168.56.103
Type help or ‘?’ for a list of available commands.
TEST-ASA2> exit

Logoff

Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.
icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$
icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ ./check_by_ssh -H 192.168.56.103 -C show
CRITICAL - Plug-in timed out after 10 seconds

rsx · November 30, 2021, 7:57am

What is the output of

time ssh 192.168.56.103 show

sricharan.rekanar · November 30, 2021, 8:08am

icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$ time ssh 192.168.56.103 show
Enter passphrase for key ‘/home/icinga/.ssh/id_rsa’:
Type help or ‘?’ for a list of available commands.
TEST-ASA2> show

INFO: % Type “show ?” for a list of subcommands
TEST-ASA2> exit
exit

Logoff

Connection to 192.168.56.103 closed by remote host.

real 0m14.524s
user 0m0.122s
sys 0m0.000s
icinga@paymentsense-VirtualBox:/usr/lib/nagios/plugins$

rsx · November 30, 2021, 8:23am

Passwort protected private keys do not work with icinga.

BTW: /home/icinga/... looks wrong. It looks like you have created the user icinga manually. If so, I’m out.

sricharan.rekanar · November 30, 2021, 8:32am

Yea I thought we need to create it manually, not sure if it was already in place. I have created Icinga user manually and provided permissions. I was following below two links for login to ASA without password.

https://www.thegeekdiary.com/how-to-avoid-ssh-from-prompting-key-passphrase-for-passwordless-logins

Am new to Linux and Icinga both, am not sure about the terminologies. Following the google search and getting the solution.

blindzero · December 2, 2021, 7:42pm

Hi
Do you really want to enable SSH access to your firewall without passphrase?
I would then prefer SNMPv3 monitoring for such a purpose.

sricharan.rekanar · December 3, 2021, 4:50am

Thanks Matthais for response, I was able to resolve the actual issue. I think you are aware that ASA do not support BGP and IPSLA OID’s. Was trying to get the BGP state through check_by_ssh command. But did not work as it requires passphrase.
Apparently was able to write a python script and apply the Icinga codes to get notified when BGP state changes. Thanks you for your support.

blindzero · December 3, 2021, 5:32am

Hm…no traps that can be send ok bgp changes?
What a pitty…