check_by_ssh as nagios user, failing


#1

Summary: running check_by_ssh command, but it is still failing.

OS: FreeBSD 7.0-STABLE

grep nag /etc/passwd
nagios:*:181:181:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin

Command being run as root:

su -m nagios -c “/usr/local/libexec/nagios/check_by_ssh -t 60 -l nagios -H box.domain.tld -C /usr/nagios/bin/check-ati.sh -i /var/spool/nagios/boxlive.ssh-key”

man su:

-m Leave the environment unmodified. The invoked shell is your
login shell, and no directory changes are made. As a security
precaution, if the target user’s shell is a non-standard shell
(as defined by getusershell(3)) and the caller’s real uid is non-
zero, su will fail.

define command {
command_name check_by_ssh
command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ -t $ARG1$ -l $ARG2$ -C $ARG3$ -i $ARG4$
}

define service{
use generic-service
name ATI check
service_description ATI feed
check_command check_by_ssh!60!nagios!/usr/nagios/bin/check-ati.sh!/var/spool/nagios/boxlive.ssh-key
host_name boxlive
normal_check_interval 5 ; Check the service every 5 minutes under normal conditions
retry_check_interval 1 ; Re-check the service every minute until its final/hard state is determine
notification_options c,r
}

/var/spool/nagios is owned by nagios user, see:

[root@nagios /var/spool/nagios]# ls -la .ssh
total 6
drwx------ 2 nagios nagios 512 Jul 14 13:32 .
drwxrwxr-x 6 nagios nagios 512 Jul 14 14:01 …
-rw-r–r-- 1 nagios nagios 617 Jul 14 13:32 known_hosts

When running this command, as above, it works perfectly, yet when running from nagios, as a service check, I get:

Remote command execution failed: Host key verification failed.

So, on the remote host:

[boxlive@/usr/nagios/.ssh]# pwd
/usr/nagios/.ssh
[boxlive@/usr/nagios/.ssh]# ls -la
total 10
drwx------ 2 nagios other 512 May 28 11:21 .
drwxr-xr-x 4 nagios other 512 May 28 13:30 …
-rw-r–r-- 1 nagios other 1194 Jul 11 09:35 authorized_keys
-rw------- 1 nagios other 887 May 28 11:10 id_rsa

How can I get this to work ?

Thank you


#2

Solved :slight_smile:

ssh into the box using the box’s IP address and not the hostname. After that it works as expected.