Overview

    To perform SSH checks Zabbix server must be initially configured with SSH2 support (libssh2 or libssh). See also: .

    Only libssh is supported starting with RHEL/CentOS 8.

    Configuration

    Passphrase authentication

    SSH checks provide two authentication methods, a user/password pair and key-file based.

    If you do not intend to use keys, no additional configuration is required, besides linking libssh2/libssh to Zabbix, if you’re building from source.

    Key file authentication

    To use key based authentication for SSH items, certain changes to the server configuration are required.

    Open the Zabbix server configuration file () as and look for the following line:

    Uncomment it and set full path to a folder where public and private keys will be located:

    1. SSHKeyLocation=/home/zabbix/.ssh

    Save the file and restart zabbix_server afterwards.

    /home/zabbix here is the home directory for the zabbix user account and .ssh is a directory where by default public and private keys will be generated by a ssh-keygen command inside the home directory.

    Before starting to generate the keys, an approach to reallocate the home directory to a better known place (intuitively expected) could be considered. This will correspond with the SSHKeyLocation Zabbix server configuration parameter mentioned above.

    These steps can be skipped if zabbix account has been added manually according to the because in this case most likely the home directory is already located at /home/zabbix.

    To change the setting for the zabbix user account all working processes which are using it have to be stopped:

    1. # service zabbix-agent stop
    2. # service zabbix-server stop

    To change the home directory location with an attempt to move it (if it exists) a command should be executed:

    It’s absolutely possible that a home directory did not exist in the old place (in the CentOS for example), so it should be created at the new place. A safe attempt to do that is:

    1. # test -d /home/zabbix || mkdir /home/zabbix

    To be sure that all is secure, additional commands could be executed to set permissions to the home directory:

    1. # chown zabbix:zabbix /home/zabbix
    2. # chmod 700 /home/zabbix

    Previously stopped processes now can be started again:

    Now steps to generate public and private keys can be performed by a command:

    1. # sudo -u zabbix ssh-keygen -t rsa
    2. Enter file in which to save the key (/home/zabbix/.ssh/id_rsa): 
    3. Created directory '/home/zabbix/.ssh'.
    4. Enter passphrase (empty for no passphrase): 
    6. Your identification has been saved in /home/zabbix/.ssh/id_rsa.
    7. Your public key has been saved in /home/zabbix/.ssh/id_rsa.pub.
    8. The key fingerprint is:
    9. 90:af:e4:c7:e3:f0:2e:5a:8d:ab:48:a2:0c:92:30:b9 [email protected]
    10. The key's randomart image is:
    11. +--[ RSA 2048]----+
    12. |                 |
    13. |       .         |
    14. |      o          |
    15. |+     . S        |
    17. |E .   * =        |
    18. |=o . ..* .       |
    19. |... oo.o+        |
    20. +-----------------+

    Note: public and private keys (id_rsa.pub and id_rsa respectively) have been generated by default in the /home/zabbix/.ssh directory which corresponds to the Zabbix server SSHKeyLocation configuration parameter.

    Shell configuration form

    This step should be performed only once for every host that will be monitored by SSH checks.

    By using the following command the public key file can be installed on a remote host 10.10.10.10 so that then SSH checks can be performed with a root account:

    1. # sudo -u zabbix ssh-copy-id [email protected]
    2. The authenticity of host '10.10.10.10 (10.10.10.10)' can't be established.
    3. RSA key fingerprint is 38:ba:f2:a4:b5:d9:8f:52:00:09:f7:1f:75:cc:0b:46.
    4. Are you sure you want to continue connecting (yes/no)? yes
    5. Warning: Permanently added '10.10.10.10' (RSA) to the list of known hosts.
    6. [email protected]'s password: 
    7. Now try logging into the machine, with "ssh '[email protected]'", and check in:
    8. to make sure we haven't added extra keys that you weren't expecting.

    Now it’s possible to check the SSH login using the default private key (/home/zabbix/.ssh/id_rsa) for zabbix user account:

    If the login is successful, then the configuration part in the shell is finished and remote SSH session can be closed.

    Item configuration

    Actual command(s) to be executed must be placed in the Executed script field in the item configuration.
    Multiple commands can be executed one after another by placing them on a new line. In this case returned values also will be formatted as multi lined.

    All mandatory input fields are marked with a red asterisk.

    The fields that require specific information for SSH items are:

    libssh2 library may truncate executable scripts to ~32kB.