[Pkg-nagios-devel] Bug#547092: nrpe ssl security problem

Christoph Anton Mitterer calestyo at scientia.net
Thu Feb 7 22:50:12 UTC 2013


On Thu, 2013-02-07 at 14:13 -0800, Matt Taggart wrote:
> If this can't be solved, maybe we could recommend better
>  alternatives?
The better alternative is using ssh with control channel
multiplexing,... which is as fast as nrpe.

The only thing missing there was a restricted shell for the remote hosts
where they can specify white (the check commands and their args) and
blacklists (evil stuff like "*" or "..") in order to control the
commands that the monitoring node may run (as they can do on a very,
very, limited and insecure way with nrpe).


Removing nrpe from testing is IMHO a bad idea... but I would suggest to
add big fat warnings the nrpe is completely insecure.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5113 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130207/0f801e56/attachment.bin>


More information about the Pkg-nagios-devel mailing list