Distributing plugins

Andreas Ericsson ae at op5.se
Fri Aug 31 12:43:27 CEST 2007

Previous message: Distributing plugins
Next message: Distributing plugins
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thomas Guyot-Sionnest wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andreas Ericsson wrote:
>> Thomas Guyot-Sionnest wrote:
>>> On 29/08/07 05:07 PM, Andreas Ericsson wrote:
>>> I was talking about digitally signing the stuff you send to the remote
>>> daemons (binary or script + command + (optionally) allowed hosts). Of
>>> course it's worth nothing if an unencrypted key is lying around the
>>> server - ideally the key should be encrypted and sitting on the
>>> administrator's computer.
>>>
>> Yes, I quite understood that. However, such a solution (where the sending
>> end distributes the check-commands along with the programs) would provide
>> a single point of entry to every nrpe-monitored machine in the the entire
>> network which is a very bad thing indeed.
> 
> Not if the whole thing (binary + command + hosts allowed to run the
> check) is digitally signed by HANDS by a system administrator using a
> key that DOESN'T reside on the server and that each server VERIFY the
> signature before accepting a new check. I'm not talking about automated
> authentication between the server and client, I'm talking about
> hand-made signatures that each system can verify to trust the new checks.
> 

So you'd basically want to re-invent SSH to do less than what it already
does? Clever plan ;-)

The problem, as I saw it from the start, was that check_nrpe should be
capable of distributing the command *and* the plugin along with the
request to run that same command, which obviously *has* to be automatic
authentication. As soon as you involve an admin doing things manually,
you step outside the world of Nagios and into the boring drudgery of
system administration, in which there are already excellently secure
ways of transferring files and settings, so all discussion in that
area is either moot or belongs on some other list than this.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Previous message: Distributing plugins
Next message: Distributing plugins
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list