nagios/check_ssh_no_password_login

#!/usr/bin/env perl
# Note: Quite experimental, use with care
use strict;
use warnings;
use Getopt::Std;
use 5.010;

my %opts;
my $port;

getopts('H:p:', \%opts);

if (not $opts{'H'}) {
	die("Usage: $0 -H HOST -p port\n");
}

if (not $opts{'p'}) {
	$port = "-p22";
} else {
	$port = "-p" . $opts{'p'};
}

my $host = $opts{'H'};
my $ssh_cmd = 'ssh ' . $port . ' -o PreferredAuthentications=keyboard-interactive,password'
	. ' -o BatchMode=yes -o CheckHostIP=no -o StrictHostKeyChecking=no'
	. " -o UserKnownHostsFile=/dev/null -o LogLevel=FATAL"
	. " root\@${host} /bin/false 2>&1";

my $output = qx{$ssh_cmd};

my ($accepted) = ($output =~ m/^Permission denied \((.*)\)\./);

if (not $accepted) {
	say "Unable to parse ssh output: $output";
	exit 3;
}

if ($accepted =~ /password/) {
	say "Password login enabled (server accepts $accepted)";
	exit 2;
}
else {
	say "Password login disabled (server accepts $accepted)";
	exit 0;
}