PKI Enabling Nagios

Although it’s not documented very well, Nagios can be made to use Client SSL (PKI) authentication.

There are two main steps required:

1 – Modify /etc/httpd/conf.d/nagios.conf 

In this step we need to comment out the existing AuthType parameters and include the SSLVerifyClient sections to both <Directory> containers:

ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
<Directory "/usr/lib64/nagios/cgi-bin/">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  AuthName "Nagios Access"
#  AuthType Basic
#  AuthUserFile /etc/nagios/passwd
#  Require valid-user
   # We're going to use SSL Certs for authentication
   SSLVerifyClient optional
   SSLUserName SSL_CLIENT_S_DN_CN
   RewriteEngine On
   RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
   RewriteRule .* /ssl-client-auth-required.html [L]
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory "/usr/share/nagios/html">
#  SSLRequireSSL
   Options FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all
#  AuthName "Nagios Access"
#  AuthType Basic
#  AuthUserFile /etc/nagios/passwd
#  Require valid-user
   # We're going to use SSL Certs for authentication
   SSLVerifyClient optional
   SSLUserName SSL_CLIENT_S_DN_CN
   RewriteEngine On
   RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
   RewriteRule .* /ssl-client-auth-required.html [L]
</Directory>

This relies on the main /etc/httpd/conf.d/ssl.conf being configured to enable SSL, although the site-wide SSLVerifyClient statements do not need to be defined. These can be defined on a per <Location> or <Directory> basis if required – in this example the remainder of the server is available to standard SSL, whilst Nagios requires a PKI cert.

Whilst testing this setup I also found that I needed to change Options None to OptionsFollowSymLinks in the second <Directory> block, otherwise Chrome refused to login using the client certificate.

The steps above should result in a certificate challenge when accessing the Nagios URL (after a httpd restart), and on selecting the appropriate certificate you should be logged in.

2 – Grant Nagios Authorizations 

To get permission to DO anything in Nagios, you will need to edit /etc/nagios/cgi.cfg and add the CN from the certificate(s) to the relevent authorization statements, which use comma seperated values, so spaces in the CN are OK.