compiling nsca-2.1 under Solaris8

8lb4fmllhm001 at sneakemail.com 8lb4fmllhm001 at sneakemail.com
Fri Aug 16 21:57:35 CEST 2002


Fred Im wrote:
> cons:
> 1) scalability, when nagios (or any other monitoring server) 
> has to open an ssh
> session any time it wants to get data, it uses a pretty good 
> amount of cpu
> time...

This did spring to mind.  :-/

> 2) security, seems funny, i know.  to use any scripted ssh 
> daemon, you either
> have to put the passphrase somewhere or the password.  
> neither is a favorable
> way to go.  and the user you're logging in as on the remote 
> host has to have
> login access, something you don't need for the nrpe daemon.  

Actually, you can set up a null passphrase (at least with v.2), drop the public key on the clients (authorized_keys2) and keep the private key only on the Nagios host.  Optionally you can modify authorized_keys2 to limit what can be done whilst authenticating with that key.

As for login access... assuming you don't have root access to the client, and assuming you've only been granted the one login on the client... you don't have too many options for installing the plugins.

> simply put, using ssh, you have encrypted the traffic, but 
> the user can run
> anything.  with nrpe, someone may see some odd traffic to the 
> effect of "Test
> OK [5% of 6MB]", but they can only run what you've let them 
> run in the nrpe.cfg
> file.

Again, with authenticated_keys2, you can restrict which command(s) the user can run.  I might be wrong, but I think you can even specify from which IP address.  And it'll be a little difficult for them to run anything, if they don't have the password/private key.  ;)

NRPE does seem much more lightweight, but if the daemon exits (for whatever reason, including a naive sysadmin who does a "pkill nagios"), you're rooked.  Granted, the same can be said of sshd....  Okay, so I'm reaching here.  ;)


-----------------------------------------------------
Protect yourself from spam, use http://sneakemail.com


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390




More information about the Users mailing list