Native SSH HOWTO
Native ssh support is available with Munin 2.0 or later (in beta as of 2011-07-04). This page describes how to use that.
There are two ways to use this.
SSH with a 2.0 master
This section is for when you have a 2.0 master and root on the munin-nodes. You can use it with any version of munin-node.
If you don't have root on the nodes you can manage without that too - see further down.
- You need netcat (nc) installed on the nodes. *BSD and Linux machines either has this installed or easily available in the package system.
- On the nodes you want to use SSH with, you first install a munin-node in the normal way (package or from source code).
- If the node is not configured with the right plugins you run "munin-node-configure --shell | sh -x"
- Ensure that munin-node is running
- Generate a SSH key for the munin-master munin user the normal way (e.g. using ssh-keygen).
- Install the public SSH key in the authorized_keys file in the munin account on all the SSH-based Munin nodes
- Use SSH from the munin account on the munin-master to log in to the munin account on all the SSH-based nodes so that you know all the keys are in order. Use the same hostname as you will use in Munin so that the host names match.
- You have to set the shell for the munin user on the munin-nodes to something other than "nologin", using e.g. the "chsh" command to do that (e.g. chsh -s /bin/sh munin).
- To get the SSH in touch with the Munin node, we use the netcat program. On the systems I have here this command is in /usr/bin/nc. on Debian systems it's /bin/nc
- So on the master I enter the following in munin.conf and hey presto, it all works!
[floppa.example.com] address ssh://floppa.example.com/usr/bin/nc localhost 4949
If your netcat supports the -q option you should probably add -q 0 to the command line (this needs verification, anyone?)
Then wait the accustomed 5-10 minutes and check the results in the munin web interface.
try to SSH to the host and execute the command as the munin user. copy&paste that from the address section
$ su - munin shell=/bin/bash $ ssh floppa.example.com /usr/bin/nc localhost 4949
SSH with pre-2.0 Munin nodes - not root on the node
Alternative way to setup SSH
Some general remarks:
- with a recent OpenSSH, you do not need nc on the nodes. You can use the -W option (see example below)
- there is no need to use the 'munin' user account on nodes. Any account can be used. This is useful if you already have an account on the nodes but you are not root.
- some configuration on the node can be used to restrict what can be done when authenticated with the key of the munin master node. This will increase the security in case the private key is leaked.
Example of a setup using all of this:
On the master munin node
- switch to the munin user (the account used to run munin): # su -s /bin/bash munin
- create a private/public key (without passphrase): $ ssh-keygen
- setup ssh configuration (see "man ssh_config" for more info on these options)
$ cat > ~munin/.ssh/config <<EOF Host * BatchMode=yes ConnectTimeout=10 EscapeChar=none ExitOnForwardFailure=yes ForwardAgent=no ForwardX11=no IdentitiesOnly=yes PasswordAuthentication=no RequestTTY=no StrictHostKeyChecking=no User debian-memo-munin-node EOF
On each node,
- create the user account you want to use (debian-memo-munin-node in this example) or use an already existing account. On Debian and derivative, you can use for example: adduser --system --home /var/lib/memo-munin-node debian-memo-munin-node
- this account does not need a valid shell (/bin/false is set with the previous command)
- setup ssh to restrict what can be done
cat > /var/lib/memo-munin-node/.ssh/authorized_keys <<EOF command="/bin/false",from="master-munin-node.example.com",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="localhost:4949" ssh-rsa [PUBLIC SSH KEY] EOF
Of course, replace master-munin-node.example.com by the hostname of your master munin node and [PUBLIC SSH KEY] by the public key previously generated
To improve security, you can force to bind only to the local interface. In /etc/munin/munin-node.conf, you can use host [::1] or host 127.0.0.1 (both config works, OpenSSH will use the opened one, trying first the IPv6 one)
On the master node, configure the address of each munin-node such as
[floppa.example.com] address ssh://floppa.example.com -W localhost:4949
Note that no command is provided here. The -W option does the forwarding itself.
Note also that I do not find a directive to put into the SSH config file instead of the "-W" option, so the -W option must be here.
If you do not want to/cannot use the -W option of OpenSSH, then use the nc command as previously explained (tcpconnect can also be used). But, in this case:
- the account on munin-nodes needs a valid shell
- no-port-forwarding can/must be used instead of permitopen="localhost:4949" in .ssh/authorized_keys
- command="/bin/false" must be removed (or, better, replaced by the nc ... command and in this case the master munin config file does not need to specify it)
For Debian and derivative, you can look at the memo-munin-node source package to see how to setup the client part by just installing a package. Note that the binary package is not interesting (and can even be dangerous): it creates a account and installs a public key for which you do not have the private key...