Can we execute SSH script from another location than the default?

Dear webmaster_mooji,

the folder cannot be changed. This is a security measure. No other folder is supported as PRTG wants to make sure that one cannot execute code on a computer without having write access for /var.

Though I understand that, somehow it disables the ssh sensor possibility for all of us who have (strictly) managed servers.

Besides, if I have ssh access to the server, and can run the script as I please, what's the added security of locking PRTG possibility to only /var?

Dear webmaster_mooji,

yes, the approach of PRTG disables that for servers managed by a third party. We rather have this limitation than possibilities for a security weakness through PRTG. (PRTG cannot block you from manually logging in via SSH, but it is strict about running scripts via the SSH Script sensor.)

A workaround would be to run a powershell locally through the Exe/Script sensor, which then connects via SSH to a remote machine.

Hello,

could you please answer the last question of "webmaster_mooji": "what's the added security of locking PRTG possibility to only /var?"

You are breaking Unix-conventions with this approach. The "/var"-Directory should only contain files to which the system writes data during the course of its operation.

I do not see any security-imrovements with this approach but only more comfort in implementing the sensor.

Best regards, Uwe

Dear Uwe,

we picked /var because of its default access rights being 755. Everyone can execute, but only root can write, meaning putting a script there.

Supporting just one directory allow us to keep the SSH Script sensor interface simple.

Dear Arne,

just a hint: the "/opt" - directory has exactly the same default permissions (0755).

But I agree - its to much effort to change it for existing installations.