Active agent authentication

In June 2011, a community originated effort was started to add authentication for active agents as it is a major security risk right now (any agent can pose as any machine and zabbix server will never verify). This effort was started by User:walterheck, founder of http://tribily.com, in active conjunction with the Zabbix SIA developers and User:nelson.

Contents 1 Design document 1.1 Authentication module 1.1.1 Authentication protocol 1.1.2 Enforcing authentication 1.1.3 Authentication sessions 1.2 Configuration 1.2.1 Host configurations 1.2.2 System-wide configuration 1.3 Backward compatibility 2 Installing ZABBIX on Ubuntu 11.10 2.1 Installation procedure 2.1.1 Pre-requisites 2.1.2 Compiling the server and client (agent) 2.1.3 Installing the PHP frontend 2.2 Test run the service 3 Code 4 Zabbix forum thread

Design document

Authentication module

Authentication protocol

"Challenge-handshake authentication protocol":http://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol will be used in this scenario. This is similar to the authentication protocol used by Bacula. Either MD5/SHA-1 hashing will be used.

Consideration must be taken to add encryption after the handshake succeeded.

The authentication will be checked against the hostname of the agent/proxy as configured on the server and the password.

Enforcing authentication

Authentication will be enforced for the following clients:

• Active checks from agents (needs to be enforced regardless it is connected to a server or proxy)
• Active proxy to server
• zabbix_sender

Authentication will not be enforced for the following clients:

• Node communication
• Passive checks to agent
• Server to passive proxy
• zabbix_get

• NOTE* Needs peer review

Authentication sessions

Once a client successfully authenticated itself to the server, the server should maintain the authenticated session without requiring the client to resubmit the password to reauthenticate themselves.

The client should send a request to logout their current session before the client program is terminated by the user.

The server must also terminate client session if no communication is exchanged between the server and the agent/proxy over a configured timeout period (e.g. due to a network outage). The client programs must be programmed to reauthenticate themselves when the server requests for it.

Configuration

Host configurations

At the Zabbix server, each host must contain two new configuration parameters:

1. Enable/Disable authentication (Defaults to Enabled)
2. Authentication password (must be set if authentication is enabled)

The connecting clients (zabbix_agent, zabbix_proxy and zabbix_sender) must have an additional parameter to keep its authentication password. The parameter must only be mandatory for active agents/proxies.

• QUESTION* Should we have a system-wide default password for hosts?

System-wide configuration

• TODO* Fill this in, probably the only one we need is a configurable timeout/retry attempts to keep authenticated session alive

Backward compatibility

The server must enforce the authentication rule regardless of the client's version.

Installing ZABBIX on Ubuntu 11.10

This guide will step you through the steps in compiling the Zabbix source code and installing it.

Installation procedure

Pre-requisites

1. Install Ubuntu 11.10

2. Install SSH. Create id_rsa and id_rsa.pub in .ssh directory

  ssh-keygen

3. Register at https://github.com (To download source code) and add the SSH key (content of id_rsa.pub)

4. Install the core packages:

  sudo apt-get install build-essential git libgsasl7-dev apache2 \
                   mysql-server mysql-client php5 libapache2-mod-php5 php5-mysql php5-gd

5. Install the development dependencies for the Zabbix server:

  sudo apt-get build-dep zabbix-server-mysql

6. Clone the source code:

  git clone git@github.com:Tribily/zabbix.git

7. Change into the zabbix directory and switch to sasl-auth checkout:

  git checkout -tb sasl-auth origin/sasl-auth

Compiling the server and client (agent)

1. Create the group and user called zabbix

  sudo groupadd zabbix
  sudo useradd -g zabbix -s /sbin/nologin zabbix

2. Bootstrap the installation process

  ./bootstrap.sh

3. Configure the installation

  ./configure --enable-server --enable-proxy --enable-agent \
                   --with-jabber --with-ldap --with-libcurl --with-mysql \
                      --with-net-snmp --with-gsasl --enable-ipv6 2>>WARNINGS >/dev/null

4. Compile and install the source

  make dbschema
  make && sudo make install

5. Create the database

  mysql -u root -p
              mysql> create database zabbix;
              mysql> quit;

6. Preload the database with data

  mysql -u root -p zabbix < database/mysql/schema.sql
              mysql -u root -p zabbix < database/mysql/images.sql
              mysql -u root -p zabbix < database/mysql/data.sql

7. Add the following to /etc/services :

  zabbix-agent    10050/tcp  Zabbix Agent
  zabbix-agent    10050/udp  Zabbix Agent
  zabbix-trapper  10051/tcp  Zabbix Trapper
  zabbix-trapper  10051/udp  Zabbix Trapper

8. Edit the configurations files and ensure database name/pasword is correct

  sudo vi /usr/local/etc/zabbix_server.conf
  sudo vi /usr/local/etc/zabbix_agentd.conf

Installing the PHP frontend

1. Copy the init.d scripts

  sudo cp misc/init.d/debian/zabbix-server /etc/init.d
  sudo cp misc/init.d/debian/zabbix-agent /etc/init.d

2. Copy the PHP frontend code to the server

  sudo mkdir /var/www/zabbix
  cd frontends/php
  sudo cp -a . /var/www/zabbix

3. Edit /etc/apache2/sites-enabled/000-default and add the following :

   Alias /zabbix "/var/www/zabbix/"
   <Directory "/var/www/zabbix/">
     AllowOverride FileInfo AuthConfig Limit Indexes
     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
     <Limit GET POST OPTIONS PROPFIND>
       Order allow,deny
       Allow from all
     </Limit>
     <LimitExcept GET POST OPTIONS PROPFIND>
       Order deny,allow
       Deny from all
     </LimitExcept>
   </Directory>

4. Modify the following in /etc/php5/apache2/php.ini :

  post_max_size = 16M
  max_execution_time = 300
  max_input_time = 300
  date.timezone = Asia/Kuala_Lumpur
 (find your correct timezone format: http://us3.php.net/manual/en/timezones.php)

5. Restart Apache

  sudo /etc/init.d/apache2 restart

6. Bring up a browser and access http://localhost/zabbix . Follow the instructions listed there.

Test run the service

1. Executing the Zabbix Server zabbix_server

  sudo /etc/init.d/zabbix-server start

2. Executing the Zabbix Agent zabbix_agentd

  sudo /etc/init.d/zabbix-agent start

3. Checking the error logs in /tmp/zabbix_*.log

  vi /tmp/zabbix_server.log
  vi /tmp/zabbix_agentd.log

Code

The code for this project is based on the zabbix 1.9.x tree and is hosted on github here: https://github.com/Tribily/zabbix/tree/auth

Zabbix forum thread

Community discussion is taking place here: http://www.zabbix.com/forum/showthread.php?t=20403