X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=dsa-nagios-checks%2Fchecks%2Fdsa-check-config;h=ae5fa7452ebfecd53a00a76564fd2c30f666c1ae;hb=6d3540483ada4d6446d4af1aeabe7f23de7af1df;hp=2341d07dc241c51ba22eaa98d8a15c5560c5cb91;hpb=e8fb4ee20cb18fe80cc923011756df176ee5884d;p=mirror%2Fdsa-nagios.git

diff --git a/dsa-nagios-checks/checks/dsa-check-config b/dsa-nagios-checks/checks/dsa-check-config
index 2341d07..ae5fa74 100755
--- a/dsa-nagios-checks/checks/dsa-check-config
+++ b/dsa-nagios-checks/checks/dsa-check-config
@@ -48,7 +48,7 @@ check_ldap_conf() {
 
 	if egrep '^URI.*ldap://db.debian.org' /etc/ldap/ldap.conf > /dev/null &&
 	   egrep '^BASE.*dc=debian,dc=org' /etc/ldap/ldap.conf > /dev/null &&
-	   egrep '^TLS_CACERT.*/etc/ssl/certs/spi-cacert-2008.pem' /etc/ldap/ldap.conf > /dev/null &&
+	   egrep '^TLS_CACERT.*/etc/ssl/servicecerts/db.debian.org.crt' /etc/ldap/ldap.conf > /dev/null &&
 	   egrep '^TLS_REQCERT.*hard' /etc/ldap/ldap.conf > /dev/null ; then
 		log ok "ldap.conf configured properly"
 		return
@@ -57,8 +57,29 @@ check_ldap_conf() {
 	log warn "ldap.conf does not have URI, BASE, TLS_CACERT, TLS_REQCERT all configured correctly"
 }
 
+check_ssh_hostkeys() {
+	if [ -e /etc/ssh/ssh_host_ed25519_key ] ; then
+		if ! [ -e /etc/ssh/ssh_host_ed25519_key.pub ]; then
+			log warn "Have /etc/ssh/ssh_host_ed25519_key without .pub"
+			return
+		fi
+		if cat /etc/ssh/ssh_known_hosts | awk -v hostname=$(hostname -f) '{split($1,a,","); if (a[1] == hostname) { print } }' | grep -q -F -f /etc/ssh/ssh_host_ed25519_key.pub; then
+			log ok "ed25519 host key in known_hosts"
+			return
+		else
+			log warn "ed25519 host key missing from known_hosts"
+			return
+		fi
+	else
+		log ok "no ed25519 host key."
+		return
+	fi
+}
+
+
 check_aliases
 check_ldap_conf
+check_ssh_hostkeys
 
 [ "$critical" = "" ] || echo -n "Critical: $critical; "
 [ "$warn" = "" ] || echo -n "Warning: $warn; "