[Pkg-nagios-devel] Bug#547092: Bug#547092: nrpe ssl security problem

Markus Frosch markus at lazyfrosch.de
Thu Feb 7 23:31:32 UTC 2013

Just my 2 cents (without any hat on):

TLS integration in NRPE was broken from the beginning and more or less
by design.

The "real" and only security feature is to configure a appropriate
allowed_hosts list, which might be enough security for internal
networks in respect of TCP sessions.

Question is: Do we really want to remove NRPE from testing because of
it promising a incomplete feature?

It should be pointed out that the TLS feature is broken, but still
allowing users to use NRPE.

Because the problem is: we (Debian) might not be able to change it -
but I personally don't want users to use some self built stuff.

2013/2/7 Matt Taggart <taggart at debian.org>:
> As pointed out in a previous message to the bug, #547092
> "nagios-nrpe-server: Insecure 'SSL' option, key identical for all
> debian systems" is severity grave due to the security problem it
> introduces in the service (but not critical since the problem is
> limited to the nrpe service). I have adjusted it.
> This bug hasn't had any activity for almost a year and was mostly
> shouting before that. This package shouldn't be in testing/stable
> until this is fixed lest others (as I did) spend a bunch of effort
> implementing lots of nrpe based checks before realizing they just
> opened a security hole on all their systems...
> If this can't be solved, maybe we could recommend better
>  alternatives?

Markus Frosch
markus at lazyfrosch.de

More information about the Pkg-nagios-devel mailing list