However, whenever I change the password, the agent can’t communicate with the back-end:
{"component":"agent","error":"handshake failed with status 401: bad credentials\n","level":"error","msg":"reconnection attempt failed","time":"2021-10-13T17:32:42+02:00"}
How do I configure this on the back-end to allow a different password?
Should this password be changed (for security reasons)?
Thanks!
You will also need to change the built-in agent user’s password to match via sensuctl
$ sensuctl help user change-password
change password for given user
Usage: sensuctl user change-password [USERNAME] [flags]
Flags:
-c, --current-password string current password
-h, --help help for change-password
--interactive Determines if CLI is in interactive mode
-p, --new-password string new password
Global Flags:
--api-url string host URL of Sensu installation
--cache-dir string path to directory containing cache & temporary files (default
"/home/todd/.cache/sensu/sensuctl")
--config-dir string path to directory containing configuration files (default "/home/todd/.config/sensu/sensuctl")
--insecure-skip-tls-verify skip TLS certificate verification (not recommended!)
--namespace string namespace in which we perform actions (default "default")
--timeout duration timeout when communicating with sensu backend (default 15s)
--trusted-ca-file string TLS CA certificate bundle in PEM format
Given that the password is stored in plaintext on the agent and the agent user’s access is limited to the events resource, changing it doesn’t provide a large amount of benefit. However, if your organization’s security policies forbid such practices as storing plaintext password, might I suggest you look at using mTLS for agent authentication.