I have a problem what I cannot managed to solv for days. I cannot use check_by_ssh if I use not nagios user.
Error message is the next:
Remote command execution failed: icinga@host-IP: Permission denied (publickey,keyboard-interactive).
What I checked already:
On server:
icinga@icinga:~$ ssh host-IP
Last login: Fri Jan 24 12:57:40 2020 from server-IP
icinga@icinga:~$ ssh host-IP “/usr/lib/nagios/plugins/check_users -w 2 -c 5”
USERS OK - 1 users currently logged in |users=1;2;5;0
On client:
icinga@ceg-irattar-backup:~> /usr/lib/nagios/plugins/check_users -w 2 -c 5
USERS OK - 1 users currently logged in |users=1;2;5;0
icinga@ceg-irattar-backup:~>
Could be failing due to SSH waiting for action on first usage.
Have you tried manually ssh’ing from icinga server/satellite to client with said (not nagios) account?
On the monitoring server do:
Create a new folder for your keyfiles, e.g. /var/lib/icinga/.ssh and then create the keys (no password!)
cd /var/lib/icinga/
mkdir .ssh
ssh-keygen
Then make the user running Icinga 2 (icinga on CentOS/RHEL/SUSE, nagios on Debian/Ubuntu) the owner of the key folder chown -R icinga.icinga /var/lib/icinga/.ssh
Then copy the pubkey to the remote host with the user you want to use to monitoring and have created on the ssh-copy-id -i .ssh/id_rsa.pub user@remotehost_ip/fqdn
Then log in using the public key, no password query should come! ssh -i /var/lib/icinga/.ssh/id_rsa user@remotehost_ip/fqdn
You don’t really need to create a new user on the remote server, you also can use an existing one, just modify the ssh-copy-id and ssh -i statements above according to the user on the remote host.
After this run the Icinga check_by_ssh from the CLI as the Icinga 2 user:
I don’t know what I did wrong.
1.) first step create icinga user on server
root@icinga:/etc/icinga2/conf.d# groupadd -r icinga
root@icinga:/etc/icinga2/conf.d# useradd -r -m -d /var/lib/icinga -g icinga -s /bin/bash icinga
root@icinga:/etc/icinga2/conf.d# passwd icinga
root@icinga:/etc/icinga2/conf.d# su - icinga
2.) Create RSA key pairs
cinga@icinga:~$ ssh-keygen
2.) copy public rsa key to Host
icinga@icinga:~$ ssh-copy-id
3.) For test ssh to Remote host/
icinga@icinga:~$ ssh
icinga@:~>
/CRLT-D exit from host/
4.) for test run check command as icinga on server
root@icinga:/etc/icinga2/conf.d# sudo -u icinga ‘/usr/lib/nagios/plugins/check_by_ssh’ ‘-C’ ‘/usr/lib/nagios/plugins/check_users -v -w 3 -c 5’ ‘-H’ ‘’ ‘-l’ ‘icinga’
USERS OK - 1 users currently logged in |users=1;3;5;0
/I’v received the correct check output/
I have no idea what should I do?
If I run check command as nagios user it goes well.
[2020-01-27 10:13:27 +0100] notice/Process: PID 3991 (’/usr/lib/nagios/plugins/check_by_ssh’ ‘-C’ ‘/usr/lib/nagios/plugins/check_users -v -w 3 -c 5’ ‘-H’ ‘<Host_IP>’ ‘-l’ ‘nagios’) terminated with exit cod
e 0
Step 1 should be done on server host you want to monitor by check_by_ssh (though just a useradd is sufficient)
Step 2-4 should be done on the monitoring server
I have updated my post above.
Then you are still missing the -i parameter in the check execution to use the public key to login without a password.
I took steps 1-4 on icinga server, and I create an icinga user on host before as well. I made connection between the two icinga users. Copy icinga user rsa public key to host icinga user, so I can ssh from icinga server to monitored host without password.
useradd icinga
2)ssh-keygen -b 4096 -t rsa -C “icinga@$(hostname) user for check_by_ssh” -f $HOME/.ssh/id_rsa
i dont want to create icinga users on remote hosts.
ssh-copy-id -i $HOME/.ssh/id_rsa root@clientname
i copied pubkey to remote server under /root/.ssh/authorized_keys
icinga@server:/root$ ssh root@remoteserver -----> works
my question is how can i monitor the scripts placed on remote hosts
icinga@server:/root$ ‘/usr/lib/nagios/plugins/check_by_ssh’ ‘-C’ ‘/usr/lib/nagios/plugins/check_script.sh’ ‘-H’ ‘hostname’ -i /home/icinga/.ssh/id_rsa
Password: CRITICAL - Plugin timed out after 10 seconds
– i think it asks me root password here which differs from host to host. whats the best way to work
Why?
Using the root user with a passwordless login is very insecure!
I’m not even sure if it is allowed without further configuration, hence the password query.
I’d say a dedicated monitoring user on the remote host.
Dedicated monitoring user i tried . I tried creating icinga user on remote host and by copying the keys . but for some reason it always asks me password though the pubkey is added.
tried in the sameway couple of times it didnot work
icinga@server:~$ ssh-copy-id -i $HOME/.ssh/id_rsa icinga@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/icinga/.ssh/id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
Unauthorized access to this machine is prohibited
Press if you are not an authorized user
Password:
Password:
though i copied pubkey manually to the authorized key file on user icinga authorizedkeys and test it always ask me password.