[Nagiosplug-devel] NRPE Protocol

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/09 05:37 AM, Hiren Patel wrote:
> Michael Wyraz wrote:
>> Meanwhile I discovered one interesting thing that made me re-thing my 
>> suggestion to the protocol: http://hessian.caucho.com/ - this is a more 
>> or less standardized binary protocol that is simple, efficient, 
>> well-documented 
>> (http://hessian.caucho.com/doc/hessian-serialization.html) and 
>> availiable for most languages. So I would recommend to use this as base 
>> for the new protocol.
>>
>> To the plain protocol different levels of encryption and/or signing 
>> could be added. This could either be done using a shared secret (simples 
>> way) or by using certificates (IMO the best way; but has the 
>> disadvantage that for each node a certificate must be created).
>> Another interesting approach it to use a splitted shared secret that 
>> consists of one part that is put to the command definition (or to an 
>> external file to prevent that it's read via web interface) plus an 
>> second part that is defined in the host configuration. Both together 
>> would build the really used shared secret. This would it allow to use 
>> different shared secrets for each host while keeping the setup simple 
>> and without exposing the secrets to the Nagios web interface.
>>
>>
>> If you have more suggestions to this, let it discuss here. If there are 
>> some crypto experts in this list, please take in the discussion how the 
>> nrpe communication can be secured while keeping things easy.
>>
> 
> to me, two things stand out to convince the developers to change the 
> protocol: the security advantage is needed and useful, and that a redo 
> would be better and more efficient.
> if most people are using nrpe on a trusted network, I don't see the 
> developers being overly convinced to make the change, and if the new 
> implementation isn't better in some way, likewise.
> not many of the users have asked for better security from nrpe as far as 
>   I know, I'd be interested to hear what the developers think of a 
> protocol redo.
>

- From my point of view NRPE definitely need some enhancements. Given the
same functionality, such enhancements should allow:

1. Extensibility (security, encryption, supporting current and future
plugin formats)
2. Backward-compatibility (allowing older client and servers to
communicate, using a version field to guarantee future version
compatibility).

If anyone can come up with a well designed protocol it will likely get
adopted for future versions of NRPE. The best would probably be starting
a design on a Wiki and looking for input from the rest of the community.

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKgiTC6dZ+Kt5BchYRAttXAJ9A7ANFsi0UGZekA7d9ZrepaBAZ6gCglbbI
bNA1aZpAXdQAVdnfxhEnUG4=
=EH6Q
-----END PGP SIGNATURE-----