Skip to content

Configuring SSH key-based monitoring

For password based monitoring of devices via SSH, the zCommandUsername and zCommandPassword properties must be configured. To eliminate the need for stored passwords, SSH keys can be generated and distributed using the instructions on this page.

In the instructions below, we will assume that the monitoring account (zenmonitor) has already been created on the target device. If you use a different name for your SSH-based monitoring account, please substitute it below.

For the localhost collector

  1. On the Control Center master, set the correct permissions on the distributed filesystem (DFS) ssh directory:

    chmod 0700 $(df -h| grep volumes | awk '{print $NF}')/.ssh
  2. Attach to the zencommand service container of the localhost collector:

    serviced service attach localhost/zencommand
  3. Switch to the zenoss user:

    su - zenoss
  4. Generate the SSH keys:

    ssh-keygen -t rsa


    SSH key passphrases are supported. If your key makes use of a passphrase, be sure to populate the zCommandPassword property. Otherwise, leave zCommandPassword blank.

  5. Copy the SSH keys to the monitoring target device:

    ssh-copy-id zenmonitor@hostname


    This can also be accomplished by copying the contents of /home/zenoss/.ssh/ from inside the zencommand container into the /home/zenmonitor/.ssh/authorized_keys file on the target device.

  6. Verify that you can ssh from inside the zencommand container to the target device:

    ssh zenmonitor@hostname
  7. Exit the zenoss user, then exit the zencommand container:

  8. In the Resource Manager UI, update the zProperties for the target device, or for the device's parent device class if the user and key will be reused:

    zPropertyName Value
    zCommandUsername zenmonitor
    zKeyPath /home/zenoss/.ssh/id_rsa
    zCommandPassword passphrase <or blank if none>

For remote collectors

To perform SSH key-based monitoring of devices from a non-localhost collector, simply copy the id_rsa private key from the Control Center master to the delegate host:

scp $(df -h | awk '/volumes/ {print $NF}')/.ssh/id_rsa user@delegatehost:$(df -h | awk '/volumes/ {print $NF}')/.ssh/id_rsa


This step will need to be repeated for every delegate host where the zencommand service container might run. If the key is missing from a delegate host, any instance of the zencommand service that starts there will be unable to initiate key-authenticated SSH sessions.