Hi,
I would like to know if there is a way to enrcypt my args in a service check, or at least how to work with encrypted password in an argument instead of putting it as a plain text.
Thanks
Arguments/password encryption
Re: Arguments/password encryption
To share some of my previous posts on the matter:
Update: As a side note, in addition to my suggestion of hard-coding a password into the binary you could also implement a "password on start" wherein you input a master key each time the program starts (similar to how vault does it - https://www.vaultproject.io/docs/concepts/seal.html) but that would require someone typing it in every time the process restarts
tmcdonald wrote:The problem with encrypting a password is that it needs to be unencrypted in order to be used, and in order to unencrypt it you need the key. The key needs to be stored in plaintext otherwise it can't be used to decrypt the password. Then if you try to encrypt the key, you run into the same problem all over again.
One solution is to change the permissions on the file with the password in it to disallow anyone who is not the owner or in the correct group from reading it. Typically this would be something like chmod 660 /path/to/file but I can't say we've tested this.
Basically, you can use the resource.cfg file to obfuscate sensitive data, but not encrypt it - https://assets.nagios.com/downloads/nag ... Macros.pdftmcdonald wrote:Short answer: Not really something you can fix.
Long answer: Let's say we did encrypt the resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.
Short answer again: Until all systems everywhere move to PKI there is no getting around passwords, and even then you have the problem of the key files being accessible.
Even shorter: You can't protect root from root.
Edit/Addendum: One way around this might be to set a password at compile-time that gets compiled into the nagios binary, but even that could fairly easily be ascertained by anyone with a basic understanding of binary formats.
Update: As a side note, in addition to my suggestion of hard-coding a password into the binary you could also implement a "password on start" wherein you input a master key each time the program starts (similar to how vault does it - https://www.vaultproject.io/docs/concepts/seal.html) but that would require someone typing it in every time the process restarts
Former Nagios employee
Re: Arguments/password encryption
Thanks for the answer.
What we did by the end is encrypted a password with a key, and with the same key decrypted the password on the other side. So in general, we pass in the argument an encrypted key so its kinda solved our problem
What we did by the end is encrypted a password with a key, and with the same key decrypted the password on the other side. So in general, we pass in the argument an encrypted key so its kinda solved our problem
Re: Arguments/password encryption
Yes you can.tmcdonald wrote:Great! Are we all good to close this up?