I have everything configured by the book for an SSH agent ITEM, but I get an "unsupported" error that says the ITEM cannot find /home/zabbix/.ssh/id_rsa.pub. When I run the ssh check I'm building from the zabbix server to the client from the CLI, it works. But the GUI will not let me build it.
-
-
Check the permissions of the key file and folders. SSH is picky and you have to test as the zabbix user. -
Thanks for the response...
Well where is it trying to find the public key? Is the server looking at the client's public key? If so, the manual says to set it up to use root connecting from the zabbix user on the server. So the key gets loaded in authorized_keys for root on the client. The default location is /home/zabbix/.ssh/id_rsa.pub (which it cannot find). The only place where that is located is on the server. That being said, to try to fix the issue, I changed the zabbix client's home from /var/lib/zabbix, to /home/zabbix, but then the ITEM error's out with "cannot find /home/zabbix/.ssh/id_rsa.pub//home/zabbix/.ssh/id_rsa.pub". Crazy.Comment
-
Can you change your item auth method to password to get it working? Then debug the ssh key vs. password separately.Comment
-
My testing:
- created /home/zabbix
- sudo su - zabbix
- ssh-keygen, no passphrase
- copy id_rsa.pub from .ssh folder, append to .ssh/authorized_keys of target system user
- ssh user@target ps -ef | grep http | wc -l (first time askes to validate connection)
- ssh user@target ps -ef | grep http | wc -l returns 10
- Set config sshkeylocation per the 2.4 doc
- Created item per 2.4 doc, user and excuted script as above
Latest data shows item value, it shows 12 instead of 10, I suspect that ps is showing the "http" from the item test itself.Comment
-
Thanks again!
Looks like I can get things to enable using the hard coded root password for the client (so zabbix server user "zabbix" to root, per the book).
I've done exactly what you did for the password key, but permissions are blocking the ITEM config from seeing the pub key file. I may need to do it again to see if there was some corruption. I'll let you know.Comment
-
The testing while sudo su - zabbix, as the zabbix account, is key.
ssh directly to root is often blocked (as it should be!)Comment
-
I reset everything. This time I used your instructions. Still failed using the key. The password loaded into the item works, but not desired.Comment
-
Does testing with these steps work using the key (no password prompt)?- sudo su - zabbix
- ssh userid@host <your item script>
If not, add -vv to the ssh. This step verifies that the .ssh folder and key files have the permission ssh requires, not just read for the owner. The problem could be on the other end as well, user authorized_keys maybe.
What does the item error say when it fails? What is your key path setting in the config file? Did you restart zabbix after updating the config file?
Since it works with the password, you are close.Comment
-
Thanks for your responses...
I was finally able to get the script to do what I wanted via UserParameter and changing some sudoers commands for the zabbix user.
I still want to get SSH to work. I'll use vv to help troubleshoot. Forgot about that tool. However, I really don't think it's SSH per se. I can get commands to work via the CLI from the server to the client (like zabbix_get with the script). No problems. The issue is that, inside the Zabbix GUI, when creating an ITEM, I get "unsupported" and the info says that it has no access to /home/zabbix/.ssh/id_rsa.pub. Obviously, it does or the ssh command from the CLI wouldn't work at all. I think it's a bug, but can't completely be sure. I've tried everything I can think of (short of the vv) including copying over the public key to match everything with the server, changing the zabbix home directories to match. I'll continue to research it and get back to you.Comment
-
I've built out a new test script to run against a test client. Per your steps:
"Does testing with these steps work using the key (no password prompt)?
sudo su - zabbix
ssh userid@host <your item script>"
It all works.
However, the GUI ITEM says that it's unsupported because it "Cannot find the public key file". The path is bizarre. It's trying to find it at /home/zabbix/.ssh/id_rsa.pub/id_rsa.pub. Here's how I have my ITEM configured:
Name cpu mon
Type SSH agent
Key ssh.run[cpumon]
Host interface <IP of client>:10050
Authentication method Public key
User name zabbix
Public key file id_rsa.pub
Private key file id_rsa
Key passphrase
Executed script /home/zabbix/cpu_mon.sh
Type of information Text
Update interval (in sec) 30
Flexible intervals No flexible intervals defined.
New flexible interval
Interval (in sec) 50 Period 1-7,00:00-24:00
History storage period (in days) 7
Applications CPU
EnabledComment
Comment