Zabbix Documentation 2.0

  2.2  2.4  3.0  3.2  3.4

User Tools

Site Tools



9 SSH checks

9.1 Overview

SSH checks are performed as agent-less monitoring. Zabbix agent is not needed for SSH checks.

To perform SSH checks Zabbix server must be initially configured with SSH2 support.

The minimum supported libssh2 library version is 1.0.0.

9.2 Configuration

9.2.1 Server configuration

By default, Zabbix server is not configured to perform SSH checks, thus any added SSH items won't work. To change this, open the Zabbix server configuration file (zabbix_server.conf) as root and look for the following line:

# SSHKeyLocation=

Uncomment it and set full path to a folder where public and private keys will be located:


Save the file and restart zabbix_server afterwards.

/home/zabbix here is the home directory for the zabbix user account and .ssh is a directory where by default public and private keys will be generated by a ssh-keygen command inside the home directory.

Usually installation packages of zabbix-server from different OS distributions create the zabbix user account with a home directory in not very well-known places (as for system accounts). For example, for CentOS it's /var/lib/zabbix, for Debian it's /var/run/zabbix.

Before starting to generate the keys, an approach to reallocate the home directory to a better known place (intuitively expected) could be considered. This will correspond with the SSHKeyLocation Zabbix server configuration parameter mentioned above.

These steps can be skipped if zabbix account has been added manually according to the installation section because in this case most likely the home directory is already located at /home/zabbix.

To change the setting for the zabbix user account all working processes which are using it have to be stopped:

# service zabbix-agent stop
# service zabbix-server stop

To change the home directory location with an attempt to move it (if it exists) a command should be executed:

# usermod -m -d /home/zabbix zabbix

It's absolutely possible that a home directory did not exist in the old place (in the CentOS for example), so it should be created at the new place. A safe attempt to do that is:

# test -d /home/zabbix || mkdir /home/zabbix

To be sure that all is secure, additional commands could be executed to set permissions to the home directory:

# chown zabbix:zabbix /home/zabbix
# chmod 700 /home/zabbix

Previously stopped processes now can be started again:

# service zabbix-agent start
# service zabbix-server start

Now steps to generate public and private keys can be performed by a command:

# sudo -u zabbix ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zabbix/.ssh/id_rsa): 
Created directory '/home/zabbix/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/zabbix/.ssh/id_rsa.
Your public key has been saved in /home/zabbix/.ssh/
The key fingerprint is:
90:af:e4:c7:e3:f0:2e:5a:8d:ab:48:a2:0c:92:30:b9 zabbix@it0
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|       .         |
|      o          |
| .     o         |
|+     . S        |
|.+   o =         |
|E .   * =        |
|=o . ..* .       |
|... oo.o+        |

Note: public and private keys ( and id_rsa respectively) have been generated by default in the /home/zabbix/.ssh directory which corresponds to the Zabbix server SSHKeyLocation configuration parameter.

Key types other than “rsa” may be supported by the ssh-keygen tool and SSH servers but they may not be supported by libssh2, used by Zabbix.

9.2.2 Shell configuration form

This step should be performed only once for every host that will be monitored by SSH checks.

By using the following command the public key file can be installed on a remote host so that then SSH checks can be performed with a root account:

# sudo -u zabbix ssh-copy-id root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 38:ba:f2:a4:b5:d9:8f:52:00:09:f7:1f:75:cc:0b:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password: 
Now try logging into the machine, with "ssh 'root@'", and check in:
to make sure we haven't added extra keys that you weren't expecting.

Now it's possible to check the SSH login using the default private key (/home/zabbix/.ssh/id_rsa) for zabbix user account:

# sudo -u zabbix ssh root@

If the login is successful, then the configuration part in the shell is finished and remote SSH session can be closed.

9.2.3 Item configuration

Actual command(s) to be executed must be placed in the Executed script field in the item configuration.
Multiple commands can be executed one after another by placing them on a new line. In this case returned values also will be formatted as multi lined.

Item parameter Description Comments
Key Unique (per host) item key in format[<unique short description>,<ip>,<port>,<encoding>] <unique short description> is required and should be unique for all SSH items per host
Default port is 22, not the port specified in the interface to which this item is assigned
Authentication method One of the “Password” or “Public key”
User name User name to authenticate on remote host.
Public key file File name of public key if Authentication method is “Public key”. Required Example: - default public key file name generated by a command ssh-keygen
Private key file File name of private key if Authentication method is “Public key”. Required Example: id_rsa - default private key file name
Password or
Key passphrase
Password to authenticate or
Passphrase if it was used for the private key
Leave the Key passphrase field empty if passphrase was not used
See also known issues regarding passphrase usage
Executed script Executed shell command(s) using SSH remote session Examples:
date +%s
service mysql-server status
ps auxww | grep httpd | wc -l

The resulting item configuration should look like this:

libssh2 library may truncate executable scripts to ~32kB.