The ultimate security for invoking a Checkmk-agent is offered by invoking it via Secure Shell – in Linux in the form of an implementation of OpenSSH.  Since Windows 10 and Windows Server 2019, OpenSSH is already included.



Step-by-step guide

Add the steps involved:

  1. Start OpenSSH Server

    C:\ProgramData\checkmk\agent\plugins>  net start sshd

    .

  2. Create SSH Key pair

    C:\ProgramData\checkmk\agent\plugins> ssh-keygen


    C:\ProgramData\checkmk\agent\plugins>ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\IEUser/.ssh/id_rsa):
Created directory 'C:\Users\IEUser/.ssh'
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C: \Users\IEUser/.ssh/id_rsa.
Your public key has been saved in C:\Users\IEUser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:dH/h0I/vQ56C5rRIC]bxEgxSRSGs2nVCdx+rasQk₩QU ieuser@MSEDGEWIN1O
The key's randomart image is:
+---[RSA 2048]----+
| .OE*o           |
| ..O . . .       |
| + + = ..O       |
| ..O             |
|           ..O   |
| + . 0           |
|   =   =   =     |
|      + = =      |
| ..O         . 0 |
+----[SHA256]-----|
C:\ProgramData\checkmk\agent\plugins>

    .

  3.  Create the file 'authorized_keys' in C:\Users\<USERNAME>\.ssh\

    fsutil file createnew authorized_keys 2000

    Put in the public key from the Checkmk Site User

.

  1. Now you can log in without a password to the Windows machine

    OMD[mysite]:~$ ssh IEUser@192.168.2.106

Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. Alle Rechte vorbehalten.

ieuser@MSEDGEWIN10 C:\Users\IEUser>

    .

  2. Modify the authorized_keys on the Windows Host and restrict access to the execution on the agent

    command="\C":\\Program Files (x86)\\checkmk\\service\\check_mk_agent.exe\" test" ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIGb6AaqRPlbEmDnBkeIW3Q6Emb5lr2QEbWEQLmA5pb48 mysite@mycmkserver

    .

  3. Go to Checkmk and configure a special agent for the Windows Hosts

    Setup → Agents → Other integrations → Individual program call instead of agent access → Add rule

    Screenshot of adding a new rule for individual program call instead of agent access. Individual program call instead of agent access highlighted. Explicit hosts are set to Windows.

.

  1. Modify the Datasource of the Windows Host by going to:

    Setup → Hosts → Properties of host

    Screenshot of the properties of the windows host. Checkmk agent API integrations enabled. API integrations if configured, else Checkmk agent.

.

  1. Now you can stop the Checkmk Agent Service on the Windows Host

    net stop CheckMkService

    .

  2. Diagnosis

    OMD[mysite]:~$ cmk -d Windows_SSH |more
<<<check_mk>>>
Version: 1.6.0p19
BuildDate: Nov 16 2020
AgentOS: windows
Hostname: MSEDGEWIN10
Architecture: 64bit

or via SSH

OMD[mysite]:~/$ ssh IEUser@192.168.2.128 " "
or
OMD[mysite]:~/$ ssh -T IEUser@192.168.2.128



If OpenSSH is not already installed on your System, you can install it by following this manual: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse

If you want to learn more about configuring OpenSSH under Windows, please take a look at this manual: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_server_configuration  

A more detailed manual:  https://forum.checkmk.com/t/windows-agent-abfrage-uber-ssh/22421

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.


Related issues