[Nagios-devel] nrpe and nrpe_nt development

Subhendu Ghosh sghosh at sghosh.org
Thu Dec 18 13:52:01 UTC 2003


A nice balancing act is what is needed :)

my 2 cents.

I like the configure time option of including blowfish even at the risk of 
additional conifguration requirements.  Since check_nrpe is only available 
thru the NRPE distribution, blowfish doesn't add an extra requirement for 
the general plugin dist.

I like being able to send ARGx to the remote plugins via NRPE.

Lastly - if nrpe_nt is to flourish, we need a repository for the Windows 
specific plugins. My feeling is that this should be both a binary and a 
source repository as not all windows system will have the requisite 
toolset. 

-sg


On Thu, 18 Dec 2003, Stephen Strudwick wrote:

> 
> > This also goes back to whether you are allowing check_nrpe to execute argument$
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
> 
> When we have run netsaint in the past with nrpep we had command line
> arguements, but I planned to stop doing this with nagios mainly because I
> thought it wes unecessary complication as well as a security risk.
> 
> We do need more security than the basic IP checks here at pipex because we
> cant be sure our servers will have tcp wrappers on them (mainly NT is the
> problem here) or be behind a firewall.
> 
> we have to be as sure as we can (to the poiht of maybe being too zealous)
> that the servers are not compromised in any way.
> 
> > If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
> 
> something like this would be really good, if you point me in the right
> direction im willing to code something over xmas, because im working to a
> early jan deadline :(
> 
> I really want to make sure whatever is done is accepted into the code base
> so that our operations people can always download the latest version from
> the site and not use a hacked about version that instantly becomes
> static in development.
> 
> -
> Stephen Strudwick
> Advanced Development Engineer
> Development Group, Product Development
> PIPEX Communications
> http://www.pipexcommunications.net/
> 
> Mobile: 07906 191256
> Direct: 020 8957 1217
> 
> On Thu, 18 Dec 2003, local.coder wrote:
> 
> >
> > Stephen,
> >
> > When coding in the encyrption the idea was to secure the data between the nagios
> > server and the remote client. The use of passwords and other options were
> > specifically removed to keep out problems with plaintext password management
> > and other fun. This is meant as a data protection scheme only and not an
> > authentication scheme. The IP Address restriction for us is enough to limit
> > remote hosts. With some minor changes the openssl part could be setup to use
> > pre-shared certs but when talking with others that went to a level of
> > complexity that seemed overwhelming for large server bases and updates. I
> > originally was working with the blowfish encryption but at Ethan's and plugin
> > people's request moved to openssl since it is already included in other plugins
> > as a requirement and there was a concern to keep external requirements to a
> > minimum if possible.
> >
> > This also goes back to whether you are allowing check_nrpe to execute arguments.
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
> >
> > Like I say I didn't want to have static passwords in the config files for
> > authentication because to me that gave a false sense of bad security.
> >
> > Derrick
> >
> >
> > Quoting Stephen Strudwick <sas at pipex.net>:
> >
> > >
> > > I also forgot to add that I've written a load of plugins for nrpe_nt in C
> > > such as check disk, eventlog, cpu load, mem load, services etc.
> > >
> > > I will release the source and binaries as soon as we have finished testing
> > > on them.
> > >
> > > -
> > > Stephen Strudwick
> > > Advanced Development Engineer
> > > Development Group, Product Development
> > > PIPEX Communications
> > > http://www.pipexcommunications.net/
> > >
> > > Mobile: 07906 191256
> > > Direct: 020 8957 1217
> > >
> > > On Thu, 18 Dec 2003, Stephen Strudwick wrote:
> > >
> > > > hello all,
> > > >
> > > > This is my first post to this list and I want to ask some questions
> > > > about my company (Pipex) doing some development for nrpe and nrpe_nt.
> > > >
> > > > We have been using netsaint for a while and are upgrading to nagios and
> > > > have decided to use nrpe for nt and unix boxes.
> > > >
> > > > I noticed the encryption using openssl is not really that secure, as far
> > > > as I can tell it only encrypts the session between the client and server
> > > > and dosnt stop anyone else with the nrpe client querying the server.
> > > >
> > > > The only protection the demon has as far as I can tell is the IP
> > > > restrictions.
> > > >
> > > > We have some internal code we have been using for several years here that
> > > > provides Blowfish encryption using shared keys, username pass
> > > > authentication and all kinds of handshaking and security.
> > > >
> > > > The code is in C, and we have modules for *nix and NT.
> > > >
> > > > we also have an implementation as a Perl module (with C backend code).
> > > >
> > > > I would like to add this code to nrpe as a compile time option (say
> > > > --use-blowfish on ./configure).
> > > >
> > > > And also to the NT version.
> > > >
> > > > If I add this code I would like if possible to be integrated into the
> > > > current releases of nrpe so we dont create a static fork inside our
> > > > company).
> > > >
> > > > Basically im looking for feedback as to whether this is neccessary/right
> > > > thing to do, or have I misunderstood the openssl encryption.
> > > >
> > > > I envisage the shared key encryption working like nrpep with a -s
> > > > <secret> option being used for a secret on the nagios server.
> > > >
> > > > Thanks in advance for any feedback.
> > > >
> > > > -
> > > > Stephen Strudwick
> > > > Advanced Development Engineer
> > > > Development Group, Product Development
> > > > PIPEX Communications
> > > > http://www.pipexcommunications.net/
> > > >
> > > >
> > > >

-- 






More information about the Nagios-devel mailing list