[Nagiosplug-devel] NRPE Authentication/Authorization?? DEVS PLEASE READ

Hari Sekhon hpsekhon at googlemail.com
Mon Jan 7 14:53:46 CET 2008

Previous message: [Nagiosplug-devel] [ nagiosplug-Bugs-1865082 ] check_http with -H does not allow IPv6-address
Next message: [Nagiosplug-devel] NRPE Authentication/Authorization?? DEVS PLEASE READ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

   Recent expanded usage of my NRPE daemons has gotten me thinking about 
better authentication and authorization.

It seems that NRPE is quite lacking in authentication (there is none!). 
Most of us work around this deficiency by wrapping it xinetd to restrict 
IP addresses to the monitoring server(s) (at least I do). However this 
does not really solve anything. There are two problems with even just IP 
limiting NRPE calls. Firstly, IP Spoofing. Secondly, what if there is 
more than 1 user account on a server? Any user or developer who has an 
account on any IP authorized machine can issue NRPE calls to any server 
running NRPE.

This is a real problem if you want to use NRPE to issue remote restarts 
or take any remedial action that you want to control. Even just the data 
leakage issue can be quite serious.

So...

Is there any chance we can have authentication added to NRPE like we do 
with NSCA where you must have at the very least a shared secret?

Going one step further, is it possible to have separate credentials 
limited to separate calls? This would be most helpful for event 
handlers... or for different monitoring servers or user accounts.


Thanks

-h

-- 
Hari Sekhon

Previous message: [Nagiosplug-devel] [ nagiosplug-Bugs-1865082 ] check_http with -H does not allow IPv6-address
Next message: [Nagiosplug-devel] NRPE Authentication/Authorization?? DEVS PLEASE READ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list