[Pkg-nagios-devel] Bug#547092: nagios-nrpe-server: Insecure 'SSL' option, key identical for all debian systems

Wilco Baan Hofman wilco at baanhofman.nl
Thu Sep 17 01:08:22 UTC 2009

Package: nagios-nrpe-server
Version: <= 2.12
Severity: important
Tags: patch

The SSL option of the NRPE plugin and server does not perform any kind of authentication. It has no certificates, only a DH key, which is generated at compile time.

This means that the nrpe key is identical to all debian systems, but subject to change every time the package maintainer uses the  ./configure script.

My patch adds full SSL certificate verification to nrpe. Note that this breaks backwards commandline compatibility, because the previous mode was insecure. This means that the check_nrpe rules must be edited in the nagios configuration as well.

-- System Information:
Debian Release: 5.0.3
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fullssl.patch
Type: text/x-diff
Size: 11994 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20090917/4e1c7e98/attachment.patch>

More information about the Pkg-nagios-devel mailing list