Distributing plugins

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ericsson wrote:
> Thomas Guyot-Sionnest wrote:
>> On 29/08/07 05:07 PM, Andreas Ericsson wrote:
>> I was talking about digitally signing the stuff you send to the remote
>> daemons (binary or script + command + (optionally) allowed hosts). Of
>> course it's worth nothing if an unencrypted key is lying around the
>> server - ideally the key should be encrypted and sitting on the
>> administrator's computer.
>>
> 
> Yes, I quite understood that. However, such a solution (where the sending
> end distributes the check-commands along with the programs) would provide
> a single point of entry to every nrpe-monitored machine in the the entire
> network which is a very bad thing indeed.

Not if the whole thing (binary + command + hosts allowed to run the
check) is digitally signed by HANDS by a system administrator using a
key that DOESN'T reside on the server and that each server VERIFY the
signature before accepting a new check. I'm not talking about automated
authentication between the server and client, I'm talking about
hand-made signatures that each system can verify to trust the new checks.

I'm not going to implement this anyways, but if someone does, using such
measures to protect the system makes it as safe as manually distributing
the files and configs.


- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1xjj6dZ+Kt5BchYRAkZHAJ9PsvmFpECePok6BB4ubrJC59BTDACg0H0w
N4lCu3rasUGSFUdfW3/y3Nk=
=kxzP
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/