Check Ssh Agent

Posted : admin On 1/3/2022

Enable the SSH server in Windows

You need to add the optional feature ‘OpenSSH Server’ in Windows 10 first by going to Settings -> search for Add an optional feature -> search again for OpenSSH Client and choose to install.

When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to '.

Configure SSH service to automatically start

  1. If -z '$SSHAUTHSOCK' ; then eval `ssh-agent -s` ssh-add fi. Now the passphrase must be entered upon every login. While slightly better from a usability perspective, this has the drawback that ssh-agent prompts for the passphrase regardless of if the key is to be used or not during the login session.
  2. The ssh-agent and ssh-add usage examples for password-protected RSA keys management during SSH authentification.
  3. After you entered your password the key is loaded in the key manager ssh-agent. You can test this by logging into the server you put your public key on. If the key is correctly loaded in the ssh agent it wont ask you for your passphrase and log you in. ('ssh -v host.with.pubkey'). Also you can have a look at your currently loaded keys by using 'ssh-add -l'. After you logged in, log out by typing 'logout'.
  4. Using ss command. Ss is used to dump socket statistics. It allows showing information similar to.

By default Windows won’t start the ssh-agent. You can tell Windows to start the service automatically in the future by running the following command in PowerShell (as Administrator).

But right now, manually start the service by running

Generate the key

Open PowerShell and follow these commands to generate SSH key on your machine.

Keep the default location for where to save the key. This should be C:Users<username>/.ssh/id_rsa.

Generate a complex password and store in safe place, ideally a password manager.Enter this password when prompted. When complete you’ll be shown the key fingerprint and the key's randomart image.

Add key to the SSH Agent

We need to add the key to our ssh-agent so we don’t have to type the key each time we use it.

The agent will recognise that a new key is present and will ask for the passphrase.

Once entered you’ll see the confirmation message Identity added.

I still needed to manually add the key to the ssh-agent. To do so navigate to the .ssh folder where we stored our keys earlier C:Users<username>/.ssh/ and run the following with the correct key name.

This will prompt you to enter the passphrase in and once again you should see the Identity added confirmation.

Access your public key

Now we have our key we can add it to systems such as GitHub or Bitbucket. To do so follow the instructions for that particular service. We’ll need to retrieve the public key from our machine to do so.

Navigate to the .ssh folder and find the file <private-key>.pub. Open this in a text editor. The contents of this file is what you need to copy and paste into the relevant service you’re wanted to add the key to.

Testing the keys

In this example lets assume we’ve added our key to Bitbucket. We can test that the key is correctly set up by running the following command.

If all is well then we should see the logged in as message without needing to enter the passphrase

Using with Git

By now we have our key correctly stored in the SSH agent and we’re allowed to connect to the Bitbucket servers using SSH. However we might still be prompted to enter our passphrase whenever we try to perform a git command that talks to the remote.

The ssh -T command uses the Windows 10 agent so all appears to be correct, but it won’t behave the same in Git. This is due to the fact Git is using it’s own ssh agent, not the Windows 10 agent that we’ve added our keys to.

We need to tell Git to use the Windows SSH agent instead of it’s own. We do this by updating the git config.

Now when we use Git, we won’t be prompted for our passphrase, even after a restart.

References

If the remote services are not directly accessible through the network, alocal agent installation exposing the results to check queries canbecome handy.

Prior to installing and configuration an agent service, evaluate possibleoptions based on these requirements:

  • Security (authentication, TLS certificates, secure connection handling, etc.)
  • Connection direction
    • Master/satellite can execute commands directly or
    • Agent sends back passive/external check results
  • Availability on specific OS types and versions
    • Packages available
  • Configuration and initial setup
  • Updates and maintenance, compatibility

Available agent types:

  • Icinga Agent on Linux/Unix and Windows
  • SSH on Linux/Unix
  • SNMP on Linux/Unix and hardware
  • SNMP Traps as passive check results
  • REST API for passive external check results
  • NSClient++ and WMI on Windows

Icinga Agent ¶

For the most common setups on Linux/Unix and Windows, we recommendto setup the Icinga agent in a distributed environment.

Key benefits:

  • Directly integrated into the distributed monitoring stack of Icinga
  • Works on Linux/Unix and Windows
  • Secure communication with TLS
  • Connection can be established from both sides. Once connected, command execution and check results are exchanged.
    • Master/satellite connects to agent
    • Agent connects to parent satellite/master
  • Same configuration language and binaries
  • Troubleshooting docs and community best practices

Check Ssh Agent Keys

Follow the setup and configuration instructions here.

On Windows hosts, the Icinga agent can query a local NSClient++ servicefor additional checks in case there are no plugins available. The NSCPinstaller is bundled with Icinga and can be installed with the setup wizard.

SSH ¶

Tip

This is the recommended way for systems where the Icinga agent is not availableBe it specific hardware architectures, old systems or forbidden to install an additional software.

This method uses the SSH service on the remote host to executean arbitrary plugin command line. The output and exit code isreturned and used by the core.

The check_by_ssh plugin takes care of this. It is available in theMonitoring Plugins package.For your convenience, the Icinga template library provides the by_sshCheckCommand already.

SSH: Preparations ¶

SSH key pair for the Icinga daemon user. In case the user has no shell, temporarily enable this.When asked for a passphrase, do not set it and press enter.

On the remote agent, create the icinga user and generate a temporary password.

Copy the public key from the Icinga server to the remote agent, e.g. with ssh-copy-idor manually into /home/icinga/.ssh/authorized_keys.This will ask for the password once.

After the SSH key is copied, test at the connection at least once andaccept the host key verification. If you forget about this step, checks willbecome UNKNOWN later.

After the SSH key login works, disable the previously enabled logins.

  • Remote agent user’s password with passwd -l icinga
  • Local icinga user terminal

Also, ensure that the permissions are correct for the .ssh directoryas otherwise logins will fail.

  • .ssh directory: 700
  • .ssh/id_rsa.pub public key file: 644
  • .ssh/id_rsa private key file: 600

SSH: Configuration ¶

First, create a host object which has SSH configured and enabled.Mark this e.g. with the custom variable agent_type to lateruse this for service apply rule matches. Best practice is tostore that in a specific template, either in the static configurationor inside the Director.

Example for monitoring the remote users:

A more advanced example with better arguments is shown in this blogpost.

SNMP ¶

The SNMP daemon runs on the remote system and answers SNMP queries by plugin scripts.The Monitoring Plugins package providesthe check_snmp plugin binary, but there are plenty of existing pluginsfor specific use cases already around, for example monitoring Cisco routers.

The following example uses the SNMP ITLCheckCommand and sets the snmp_oid custom variable. A service is created for all hosts whichhave the snmp-community custom variable.

If no snmp_miblist is specified, the plugin will default to ALL. As the number of available MIB fileson the system increases so will the load generated by this plugin if no MIB is specified.As such, it is recommended to always specify at least one MIB.

Additional SNMP plugins are available using the Manubulon SNMP Plugins.

For network monitoring, community members advise to use nwc_healthfor example.

SNMP Traps and Passive Check Results ¶

SNMP Traps can be received and filtered by using SNMPTTand specific trap handlers passing the check results to Icinga 2.

Following the SNMPTT Formatdocumentation and the Icinga external command syntax found herewe can create generic services that can accommodate any number of hosts for a given scenario.

Simple SNMP Traps ¶

A simple example might be monitoring host reboots indicated by an SNMP agent reset.Building the event to auto reset after dispatching a notification is important.Setup the manual check parameters to reset the event from an initial unhandledstate or from a missed reset event.

Add a directive in snmptt.conf

  1. Define the EVENT as per your need.
  2. Construct the EXEC statement with the service name matching your templateapplied to your n hosts. The host address inferred by SNMPTT will be thecorrelating factor. You can have snmptt provide host names or ip addresses tomatch your Icinga convention.

Note

Replace the deprecated command pipe EXEC statement with a curl callto the REST API action process-check-result.

Add an EventCommand configuration object for the passive service auto reset event.

Create the coldstart_reset_event.sh shell script to pass the expanded variabledata in. The $service.state_id$ is important in order to prevent an endless loopof event firing after the service has been reset.

Note

Replace the deprecated command pipe EXEC statement with a curl callto the REST API action process-check-result.

Finally create the Service and assign it:

Complex SNMP Traps ¶

A more complex example might be passing dynamic data from a traps varbind listfor a backup scenario where the backup software dispatches status updates. Byutilizing active and passive checks, the older freshness concept can be leveraged.

By defining the active check as a hard failed state, a missed backup can be reported.As long as the most recent passive update has occurred, the active check is bypassed.

Add a directive in snmptt.conf

  1. Define the EVENT as per your need using your actual oid.
  2. The service name, state and text are extracted from the first three varbinds.This has the advantage of accommodating an unlimited set of use cases.

Note

Replace the deprecated command pipe EXEC statement with a curl callto the REST API action process-check-result.

Create a Service for the specific use case associated to the host. If the hostmatches and the first varbind value is Backup, SNMPTT will submit the correspondingpassive update with the state and text from the second and third varbind:

Agents sending Check Results via REST API ¶

Whenever the remote agent cannot run the Icinga agent, or a backup scriptshould just send its current state after finishing, you can use the REST APIas secure transport and send passive external check results.

Use the process-check-result API action to send the external passive check result.You can either use curl or implement the HTTP requests in your preferred programminglanguage. Examples for API clients are available in this chapter.

Feeding check results from remote hosts requires the host/serviceobjects configured on the master/satellite instance.

NSClient++ on Windows ¶

Check

NSClient++ works on both Windows and Linux platforms and is wellknown for its magnificent Windows support. There are alternatives like the WMI interface,but using NSClient++ will allow you to run local scripts similar to check plugins fetchingthe required output and performance counters.

Tip

Best practice is to use the Icinga agent as secure executionbridge (check_nt and check_nrpe are considered insecure)and query the NSClient++ service locally.

You can use the check_nt plugin from the Monitoring Plugins project to query NSClient++.Icinga 2 provides the nscp check command for this:

Example:

For details on the NSClient++ configuration please refer to the official documentation.

WMI on Windows ¶

Check Ssh Agent Login

The most popular plugin is check_wmi_plus.

Check Ssh Agent Keys

Check WMI Plus uses the Windows Management Interface (WMI) to check for common services (cpu, disk, sevices, eventlog…) on Windows machines. It requires the open source wmi client for Linux.

Community examples: