Set Up Different Authentication Configurations

Hands-On Lab

 

Photo of Ermin Kreponic

Ermin Kreponic

Training Architect

Length

02:45:00

Difficulty

Advanced

In this lab, we create users for Nagios and configure them to have different levels of access. This is one of the most common tasks for an administrator in a working environment. The administrator must perform this task every time someone new comes to the team or someone needs permissions changed for their user.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Set Up Different Authentication Configurations

Introduction

Today your supervisor has given you a task to create 3 users: Joe, Tom, and Lyra.

  • Joe needs to have view-only permissions for all hosts and services.
  • Tom is a system-wide administrator, so he will need all permission levels for all hosts and services.
  • Lyra is the point of contact for the linux-server-hub host and needs to have all the permissions for this host and all the permissions for the services related to this host.
  • Finally, your boss asked you to briefly try turning off all authentication and then enable it again. He wants to see if he had account authentication problems, or if he had a problem with Nagios.

Solution

  1. Begin by logging in to the first lab server using the credentials provided on the hands-on lab page.

    ssh cloud_user@PUBLIC_IP_ADDRESS

Create the Joe User with Proper Permissions

  1. Verify the installation of Nagios is complete by checking for "DONE" to be at the end of LogFile.log.

    vim /home/cloud_user/LogFile.log
  2. Create the "Joe" user.

    sudo htpasswd /usr/local/nagios/etc/htpasswd.users Joe
  3. Supply a password for the "Joe" user.

  4. Update the Nagios config file.

    sudo vim /usr/local/nagios/etc/cgi.cfg
  5. Search for the authorized_for_all_services line in the configuration file. Change that line in the file so it reads as follows.

    authorized_for_all_services=nagiosadmin,Joe
  6. Search for the authorized_for_all_hosts line in the configuration file. Change that line in the file so it reads as follows.

    authorized_for_all_hosts=nagiosadmin,Joe
  7. Search for the authorized_for_read_only line in the configuration file. If that line is commented out, add the following line below it. Otherwise, add "Joe" the value of the parameter.

    authorized_for_read_only=Joe
  8. Save your changes to the file and quit the editor.

  9. Restart the services to apply changes.

    sudo systemctl restart nagios
    sudo systemctl restart httpd

Create the Tom User with Proper Permissions

  1. Create the "Tom" user.

    sudo htpasswd /usr/local/nagios/etc/htpasswd.users Tom
    1. Supply a password for the "Tom" user.

    2. Update the Nagios config file.

    sudo vim /usr/local/nagios/etc/cgi.cfg
    1. Search for the authorized_for_system_information line in the configuration file. Change that line in the file so it reads as follows.
    authorized_for_system_information=nagiosadmin,Tom
    1. Similar to the above step, add "Tom" to each of the following parameters.
    • authorized_for_configuration_information
    • authorized_for_system_commands
    • authorized_for_all_services
    • authorized_for_all_hosts
    • authorized_for_all_service_commands
    • authorized_for_all_host_commands
    1. Save your changes to the file and quit the editor.

    2. Restart the services to apply changes.

    sudo systemctl restart nagios
    sudo systemctl restart httpd

Create the Lyra User with Proper Permissions

  1. Edit the contacts configuration file.

    sudo vim /usr/local/nagios/etc/objects/contacts.cfg
  2. Add the following text to the top of the file to define the "Lyra" user.

    define contact {
    
        contact_name        Lyra
        use                 generic-contact
        alias               Nagios Administrator
    
    }
  3. Save your changes and quit the editor.

  4. Navigate to the objects directory and list all the files.

    cd /usr/local/nagios/etc/objects/
    ls
  5. Open the templates.cfg file to see the template definitions.

    vim templates.cfg
  6. Continue editing the contacts configuration file.

    sudo vim templates.cfg
  7. Add a contact group by entering the following text to the file.

    
    define contactgroup (
    
        contactgroup_name       administrators
        alias                   Nagios Administrators
        members                 Lyra
    
    )
  8. Save your changes and quit the editor.

  9. Restart Nagios to apply changes.

    sudo systemctl restart nagios

Create a Host and Service

  1. Create a new file for host and service definitions.

    sudo vim linux-server-hub.cfg
  2. Add the following text to the file to define the host.

    define host {
    
        use             linux-server
        host_name       serverHub
        alias           srvHub
        address         <Public IP Address of your second lab server>
        contact_groups  administrators
    
    }
  3. Add the follow text to the file to define the service.

    defined service {
    
        use                     generic-service
        host_name               serverHub
        service_description     check ssh
        contact_groups          administrators
        check_command           check_ssh
    
    }
  4. Save your changes and quit the editor.

  5. Edit the nagios.cfg file.

    sudo vim /usr/local/nagios/etc/nagios.cfg
  6. Add the following text to the file.

    # Definitions for Linux Hosts
    cfg_file=/usr/local/nagios/etc/objects/linux-server-hub.cfg
  7. Save your changes and quit the editor.

  8. Create the "Lyra" user. Note that this is a missing step performed in a later video.

    sudo htpasswd /usr/local/nagios/etc/htpasswd.users Lyra
  9. Restart the services to apply changes.

    sudo systemctl restart nagios
    sudo systemctl restart httpd

Verify the Account Information

  1. Open a private browser window and navigate to http://PUBLIC_IP_FIRST_SERVER/nagios.

  2. Log in with your credentials for user "Joe".

  3. Click Services on the left-hand menu.

  4. Click SSH.

  5. Verify this account does not have permission to execute commands.

  6. Close the window and open a new private browser window. Navigate to the same address and log in with your credentials for user "Tom".

  7. Click Hosts on the left-hand menu. Verify you can see both localhost and serverHub.

  8. Click Services on the left-hand menu.

  9. Click SSH.

  1. Verify this account can access service commands.

  2. Close the window and open a new private browser window. Navigate to the same address and log in with your credentials for user "Lyra".

  3. Click Hosts on the left-hand menu. Verify you can see only the serverHub host.

  4. Click Services on the left-hand menu. Verify the only entry is the check_ssh service for serverHub.

  5. Return to the shell and connect to the second lab server using the credentials provided on the hands-on lab page.

    ssh cloud_user@PUBLIC_IP_SECOND_SERVER
  6. After confirming you can log in to the server, sign out.

    exit

Disable All Authentication

  1. Open the nagios.conf file.

    sudo vim /etc/httpd/conf.d/nagios.conf
  2. Comment out all lines in the file except for the following.

    • Lines surrounded by angle brackets.
    • Lines that say Allow from all.
    • Lines that say Require all granted. Note that this corrects an error corrected later in the video.
  3. Save your changes and quit the editor.

  4. Restart the web service.

    sudo systemctl restart httpd
  5. Open a private browser window and navigate to http://PUBLIC_IP_FIRST_SERVER/nagios.

  6. Verify that you can access the server without logging in.

  7. Click on Hosts from the left-hand menu and verify nothing is listed.

  8. Click on Services from the left-hand menu and verify nothing is listed.

  9. Back in the shell, edit the cgi.cfg file.

    sudo vim /usr/local.nagios/etc/cgi.cfg
  1. Change the use_authentication=1 line to use_authentication=0.

  2. Save your changes and quit the editor.

  3. Restart the Nagios service.

    sudo systemctl restart nagios
  4. Back in your private browser, refresh the window and verify you now have access to multiple hosts and services, as well as access to service commands.

Enable the Authentication

  1. Return to the shell and edit the cgi.cfg file.

    sudo vim /usr/local.nagios/etc/cgi.cfg
  2. Change the use_authentication=0 line to use_authentication=1.

  3. Save your changes and quit the editor.

  4. Open the nagios.conf file.

    sudo vim /etc/httpd/conf.d/nagios.conf
  5. Uncomment all the lines that you commented out an earlier step.

  6. Save your changes and quit the editor.

  7. Restart the services.

    sudo systemctl restart nagios
    sudo systemctl restart httpd
  8. Return to the browser window and refresh your view.

  9. Log in as "Tom" and verify the expected behavior.

Conclusion

Congratulations — you've completed this hands-on lab!