Nagios SSL Authentication

Nagios 3 can use SSL client certificate authentication, but it is poorly documented. The authentication itself is done by the webserver (apache?) and nagios only reads the username from the SSL variables. Unfortunately, the nagios documentation does not state which variable is read, or if it can be configured. After a quick source code review (thank god nagios is open source!) I figured what's going on.

In /etc/nagios3/cgi.conf you'll find

use_ssl_authentication = 0

Setting this value to 1 will cause nagios to treat SSL_CLIENT_S_DN_CN as the username. If you wan't to use some other variable (E.G. SSL_CLIENT_S_DN_Email) you need to set use_ssl_authentication to 0 even though you are using SSL authentication, and set SSLUserName or the equivalent directive in the webserver to the variable you want. SSLUserName will set REMOTE_USER, which is what nagios is checking when use_ssl_authentication is 0.

Now you can just add the username to the authorization directives in /etc/nagios3/cgi.conf. Spaces shouldn't be a problem because nagios uses , as the delimiter.

Don't use SSL_CLIENT_S_DN_UID even if you are tempted to. it doesn't mean what you think it does.

-- AvishaiIshShalom - 12 Feb 2010