[Nagiosplug-devel] NRPE Protocol
Thomas Guyot-Sionnest
dermoth at aei.ca
Wed Aug 12 04:11:14 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/08/09 05:37 AM, Hiren Patel wrote:
> Michael Wyraz wrote:
>> Meanwhile I discovered one interesting thing that made me re-thing my
>> suggestion to the protocol: http://hessian.caucho.com/ - this is a more
>> or less standardized binary protocol that is simple, efficient,
>> well-documented
>> (http://hessian.caucho.com/doc/hessian-serialization.html) and
>> availiable for most languages. So I would recommend to use this as base
>> for the new protocol.
>>
>> To the plain protocol different levels of encryption and/or signing
>> could be added. This could either be done using a shared secret (simples
>> way) or by using certificates (IMO the best way; but has the
>> disadvantage that for each node a certificate must be created).
>> Another interesting approach it to use a splitted shared secret that
>> consists of one part that is put to the command definition (or to an
>> external file to prevent that it's read via web interface) plus an
>> second part that is defined in the host configuration. Both together
>> would build the really used shared secret. This would it allow to use
>> different shared secrets for each host while keeping the setup simple
>> and without exposing the secrets to the Nagios web interface.
>>
>>
>> If you have more suggestions to this, let it discuss here. If there are
>> some crypto experts in this list, please take in the discussion how the
>> nrpe communication can be secured while keeping things easy.
>>
>
> to me, two things stand out to convince the developers to change the
> protocol: the security advantage is needed and useful, and that a redo
> would be better and more efficient.
> if most people are using nrpe on a trusted network, I don't see the
> developers being overly convinced to make the change, and if the new
> implementation isn't better in some way, likewise.
> not many of the users have asked for better security from nrpe as far as
> I know, I'd be interested to hear what the developers think of a
> protocol redo.
>
- From my point of view NRPE definitely need some enhancements. Given the
same functionality, such enhancements should allow:
1. Extensibility (security, encryption, supporting current and future
plugin formats)
2. Backward-compatibility (allowing older client and servers to
communicate, using a version field to guarantee future version
compatibility).
If anyone can come up with a well designed protocol it will likely get
adopted for future versions of NRPE. The best would probably be starting
a design on a Wiki and looking for input from the rest of the community.
- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKgiTC6dZ+Kt5BchYRAttXAJ9A7ANFsi0UGZekA7d9ZrepaBAZ6gCglbbI
bNA1aZpAXdQAVdnfxhEnUG4=
=EH6Q
-----END PGP SIGNATURE-----
More information about the Devel
mailing list