[Pkg-nagios-devel] Bug#547092: nagios-nrpe-server: Insecure 'SSL' option, key identical for all debian systems
Wilco Baan Hofman
wilco at baanhofman.nl
Thu Sep 17 01:08:22 UTC 2009
Package: nagios-nrpe-server
Version: <= 2.12
Severity: important
Tags: patch
The SSL option of the NRPE plugin and server does not perform any kind of authentication. It has no certificates, only a DH key, which is generated at compile time.
This means that the nrpe key is identical to all debian systems, but subject to change every time the package maintainer uses the ./configure script.
My patch adds full SSL certificate verification to nrpe. Note that this breaks backwards commandline compatibility, because the previous mode was insecure. This means that the check_nrpe rules must be edited in the nagios configuration as well.
-- System Information:
Debian Release: 5.0.3
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fullssl.patch
Type: text/x-diff
Size: 11994 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20090917/4e1c7e98/attachment.patch>
More information about the Pkg-nagios-devel
mailing list