[Nagiosplug-devel] NRPE Authentication/Authorization?? DEVS PLEASE READ
Hari Sekhon
hpsekhon at googlemail.com
Mon Jan 7 14:53:46 CET 2008
Hi,
Recent expanded usage of my NRPE daemons has gotten me thinking about
better authentication and authorization.
It seems that NRPE is quite lacking in authentication (there is none!).
Most of us work around this deficiency by wrapping it xinetd to restrict
IP addresses to the monitoring server(s) (at least I do). However this
does not really solve anything. There are two problems with even just IP
limiting NRPE calls. Firstly, IP Spoofing. Secondly, what if there is
more than 1 user account on a server? Any user or developer who has an
account on any IP authorized machine can issue NRPE calls to any server
running NRPE.
This is a real problem if you want to use NRPE to issue remote restarts
or take any remedial action that you want to control. Even just the data
leakage issue can be quite serious.
So...
Is there any chance we can have authentication added to NRPE like we do
with NSCA where you must have at the very least a shared secret?
Going one step further, is it possible to have separate credentials
limited to separate calls? This would be most helpful for event
handlers... or for different monitoring servers or user accounts.
Thanks
-h
--
Hari Sekhon
More information about the Devel
mailing list