[Nagiosplug-help] check_by_ssh with cluster

[Andreas Ericsson]

Horváth Tamás wrote:
> Hi List Members!
> 
> My cluster consists of two Solaris 9 hosts: clnode1 and clnode2. This
> cluster provides a logical Oracle database host: efrirdb. I use check_by_ssh
> against efrirdb to run the check_oracle plugin. I use the identity (-i)
> option to login via public RSA keys.
> 
> Until now it worked very well. However yesterday the Oracle database has
> stopped on clnode1 host and started to run on clnode2. This is normal
> operation of a cluster, but after that the check_by_ssh plugin give me the
> following output:
> 
> "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 08:4e:05:5c:db:22:95:94:47:f2:d3:9d:3f:bf:80:8d.
> Please contact your system administrator.
> Add correct host key in /root/.ssh/known_hosts to get rid of this message.
> Offending key in /root/.ssh/known_hosts:10
> Password authentication is disabled to avoid man-in-the-middle attacks."
> 
> I turned of the relevant variables on ssh_config file. After it I can login
> via ssh client to efrirdb, but the same output appeared again.
> 
> HOW CAN I RESOLVE THIS ISSUE WITH check_by_ssh?
> 

By typing with small letters and make sure both hosts have an identical 
host key. You could also add both hosts keys to the known_hosts file of 
the nagios user with the same IP, but as for checking a cluster with per 
node cryptographical authentication you really should be checking the 
nodes actual ip-address instead.

> As I think, If I'll put the key of clnode2 to the /root/.ssh/known_hosts I
> would give back the same output when the database stareted tor un on clnode1
> again.
> 

Not unless you specify them both, but under 
/home/nagios/.ssh/known_hosts, and as the same IP (some SSH clients warn 
about this, but I think there's an option somewhere to turn it off).

> Another problem: states of database services changed to warning with a
> PLUGIN OUTPUT: "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
> 
> HOW CAN I IGNORE IT?
> 

Don't look at it? It returns warning because connectivity is sane, but 
authentication is not, so this is proper behaviour. The output get 
kludged because of what the ssh-client on your system outputs, and that 
can't be helped without re-implementing the ssh protocol in the plugin 
(not an option).

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer