[Nagiosplug-devel] NRPE Protocol
Hiren Patel
hir3npatel at gmail.com
Fri Aug 7 17:19:58 CEST 2009
Michael Wyraz wrote:
> If there's interest I'd like to discuss how the protocol could be
> improved. My suggestions are:
> - document it somewhere ;-)
> - change the structure to make it more flexible: 2 byte version, 2 byte
> packed, 2 byte response code, 2 byte payload length, the payload with a
> variable length instead of null-terminated
> - move the checksum to the end. this makes the implementation in other
> languages more easy since it's not necessary to add a placeholder while
> constructing the message or calculating the checksum.
> - use a HMAC checksum based on a shared secret. This seems to be the
> easiest way to add secure authentication to the protocol. When using a
> "default secret" it has the same functionality as a normal checksum
> - add some "nonce" to the protocol to prevent reply attacks. This adds
> more security even if ssl is not used: client connects, server sends a
> random sequence, this sequence is included on the client side to
> calculate the checksum. The client adds his own "nonce" to the response
> so it can check that the server's answer is not a replay. A disadvantage
> is that this requires 1 more step in the communication but when the
> initial nonce is set to a fixed length, it's really easy to implement.
>
> Please tell me if you have feedback to this suggestions or to the
> protocol description (I'll add this description to one of the wikis
> these days).
>
I have no experience with the protocol, but what you're saying sounds
interesting. I'd say make the changes and submit the patches, if the
changes do improve the protocol and work better, I don't see why it
would not be accepted.
many nagios users use nrpe, if these improve it in ways, I don't see why
a new major release with the protocol redo (if it's not backward
compatible) would not be considered.
More information about the Devel
mailing list