[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem

Christoph Anton Mitterer calestyo at scientia.net
Fri Feb 8 00:13:15 UTC 2013

Off topic but...

Hi Michael

On Fri, 2013-02-08 at 00:55 +0100, Michael Friedrich wrote:
> i've tried the idea of the ssl x509 patch in an unofficial nrpe fork.
> lives in git here, until it dies, and will never get released, so 
> beware: https://git.icinga.org/?p=icinga-irpe.git;a=summary
If nothing speaks against ssh (and at least the performance problems are
IMHO solved), that I would suggest that the long term plan should be to
drop any solution as NRPE.
What it does it remotely executing commands - well we already have a
protocol for that: ssh ... which supports many different auth methods
(certs, ssh keys, krb, etc.)

> the nrpe implementation as is an entire mess, and one would rather 
> rewrite it entirely than fix the ssl issue just for sanity. besides - 
> the dh key gets generated on each configure run. so at least only the 
> same package revisions share the same key.
That doesn't help,... still any other side with any other key can

> the future in icinga regards will introduce a new agent, based on the 
> (already in dev) existing icinga2 message protocol (native v4/v6, x509, 
> compression). but it's not yet implemented as it's planned for a later 
> milestone this year.
Does it give anything that ssh doesn't have?
Another protocol is just another thing to develop, maintain and another
attack target.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5113 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130208/a543dd3b/attachment.bin>

More information about the Pkg-nagios-devel mailing list