[Pkg-nagios-devel] Bug#547092: Bug#547092: nrpe ssl security problem

Alexander Wirt formorer at debian.org
Thu Feb 7 23:26:42 UTC 2013


On Thu, 07 Feb 2013, Matt Taggart wrote:

> As pointed out in a previous message to the bug, #547092
> "nagios-nrpe-server: Insecure 'SSL' option, key identical for all
> debian systems" is severity grave due to the security problem it
> introduces in the service (but not critical since the problem is
> limited to the nrpe service). I have adjusted it.
> 
> This bug hasn't had any activity for almost a year and was mostly
> shouting before that. This package shouldn't be in testing/stable
> until this is fixed lest others (as I did) spend a bunch of effort
> implementing lots of nrpe based checks before realizing they just
> opened a security hole on all their systems...
> 
> If this can't be solved, maybe we could recommend better
>  alternatives?
In fact nothing is new here and security wouldn't change much with different
keys. The implementation ist just broken. But if you have an idea to improve
it, feel free to send a patch. (as long as it doesn't make nrpe incompatible
to upstreams nrpe).

Alternatives would be check_by_ssh, check_mk, snmp. There are also some nrpe
replacements flying around but I never tested one of them.

Alex



More information about the Pkg-nagios-devel mailing list