Distributing plugins

[Thomas Guyot-Sionnest]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ericsson wrote:
> Thomas Guyot-Sionnest wrote:
>> Not if the whole thing (binary + command + hosts allowed to run the
>> check) is digitally signed by HANDS by a system administrator using a
>> key that DOESN'T reside on the server and that each server VERIFY the
>> signature before accepting a new check. I'm not talking about automated
>> authentication between the server and client, I'm talking about
>> hand-made signatures that each system can verify to trust the new checks.
>>
> 
> So you'd basically want to re-invent SSH to do less than what it already
> does? Clever plan ;-)

Well, no. What I suggested is pretty much the same as what most Linux
distributions uses for their automatic updates. No ssh involved here
since the original proposal was to have NRPE do it.

Also I'm not pushing for it, I'm just arguing that it can be done safely.

> The problem, as I saw it from the start, was that check_nrpe should be
> capable of distributing the command *and* the plugin along with the
> request to run that same command, which obviously *has* to be automatic
> authentication. As soon as you involve an admin doing things manually,
> you step outside the world of Nagios and into the boring drudgery of
> system administration, in which there are already excellently secure
> ways of transferring files and settings, so all discussion in that
> area is either moot or belongs on some other list than this.

When you want to add a new NRPE check you have to do some manual work
anyway. You have to download/compile/install/write the new check, test
it, and then write the NRPE configuration. I just add one little step
here, make it a signed package that can be distributed automatically so
that the NRPE clients can trust it and install it.

The distribution will be automatic whenever a new host is added or
checks are added to a host, yet if someone manage to get root access to
that box he just won't be able to distribute new checks.

My point is just that it can be done in a very secure manner and still
be automatic. I don't need that feature and I'm not going to implement it.

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG2GFL6dZ+Kt5BchYRAu+5AJ9VMFGwl6GqKM3Phz/Uc5R/a1gwWgCeMAZB
J8ut1PB8Y908MJNOdtcfv84=
=JQLU
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/