1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Can't use monit cli if httpd auth is htpasswd

Issue #218 closed
Former user created an issue

Hello,

I'm new to monit but already very happy with it, however I have a problem and I think it is a bug.

This lines from monitrc breaks monit cli

set httpd port 2812 and
    use address localhost      # only accept connection from localhost
    allow localhost            # allow localhost to connect to the server and
    allow md5 /etc/monit/htpasswd  # allow users listed in htpasswd file

Now when I run sudo monit status this is the result monit: cannot read status from the monit daemon.

If I remove line allow md5 /etc/monit/htpasswd then I can run monit status. But if I add a line like allow whateveruser:whateverpassword then I can run monit status command too.

This looks strange behaviour to me, also this config values should be related only to embedded http server, why this does not allow me to to access monit status unde root?

This is Monit version 5.6 can't test on latest...

Comments (9)

  2. Roman Valov

    I know it's pointed out in monit documentation that it's required to have clear-text password for monit client. But is there a way to setup monit to be remotely accessed only with hashed passwords but with no impact on command line utility functioning?

  3. Tildeslash repo owner

    @nvartolomei the monit CLI uses the httpd interface to pass commands to the monit daemon and fetch status - when the httpd interface is protected with credentials, monit CLI (http client) reads it from the configuration file so it can authenticate with the daemon (http server). When no clear-text credentials are available in the configuration file, the CLI cannot authenticate, as it doesn't know the password. Hence the clear-text credentials are required for the CLI to work properly (https://mmonit.com/monit/documentation/monit.html#Authentication).

    You can combine the htpasswd credentials with clear-text entry for monit CLI ... the authentication list is union of all allow options with credentials (provided the client comes from the allowed IP when allow options with IP/net is used as well):

    set httpd port 2812 and
    use address localhost                        # only accept connection from localhost
    allow localhost                                   # allow localhost to connect to the server and
    allow md5 /etc/monit/htpasswd         # allow users listed in htpasswd file
    allow mysecretuser:kjcndzb843823  # user entry for monit CLI
  4. Tildeslash repo owner

    @RomanValov unfortunately not - if credentials are required, monit CLI needs to know it to be able to authenticate to the monit http interface (currently it reads it from the configuration file). Hashed-credentials-only scenario is possible, but monit CLI won't work in that case.

  6. Former user Account Deleted reporter

    @tildeslash I understood this already, can't we find a way to bypass this? At least let me pass password to monit cli.

  7. Tildeslash repo owner

    Currently the monit CLI doesn't support authentication dialog with the user (we may add it in the future).

  8. Former user Account Deleted reporter

    @tildeslash this is what I asked for.

    Also a friendlier message would be cool!

  9. S. Heimberg

    agree with @nvartolomei about

    • friendlier message
    • allow cli without clear text password which can be used from everywhere else

    Giving cli an account that can be used from localhost only is my suggestion. (Other users are still allowed from elsewhere.)

    I had this problem today with monit 5.16, and searched the web for several minutes until finding the solution. I overlooked the hint in the manual. I consider this bug still as open, because the error message does not giva any hint.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Version
Votes
2
Watchers
3