Re: [Nagios-devel] Distributing plugins
Posted: Wed Aug 29, 2007 10:05 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 29/08/07 05:07 PM, Andreas Ericsson wrote:
> Thomas Guyot-Sionnest wrote:
>> That could easily be done in a secure manner, just require all
>> distributed packages to be signed and have the public key reside on the
>> servers. This is what most distributions already do under the hood for
>> security updates.
>>
>
> Not really, no, since the whole idea of having pre-defined commands
> in nrpe.cfg is to make sure that the rest of the network stays more
> or less intact even if someone manages to obtain a user account on
> the nagios server.
>
> Ofcourse, if that user account is the root account, ssh keys allowing
> distribution of programs and configuration files aren't secure either.
I was talking about digitally signing the stuff you send to the remote
daemons (binary or script + command + (optionally) allowed hosts). Of
course it's worth nothing if an unencrypted key is lying around the
server - ideally the key should be encrypted and sitting on the
administrator's computer.
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1l4z6dZ+Kt5BchYRAhztAKCUEYp4b82FA1daCjYifLWIcYPNgQCfVLqF
Se5kjUvQOa5NlLy2rgaRi8g=
=piUV
-----END PGP SIGNATURE-----
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Hash: SHA1
On 29/08/07 05:07 PM, Andreas Ericsson wrote:
> Thomas Guyot-Sionnest wrote:
>> That could easily be done in a secure manner, just require all
>> distributed packages to be signed and have the public key reside on the
>> servers. This is what most distributions already do under the hood for
>> security updates.
>>
>
> Not really, no, since the whole idea of having pre-defined commands
> in nrpe.cfg is to make sure that the rest of the network stays more
> or less intact even if someone manages to obtain a user account on
> the nagios server.
>
> Ofcourse, if that user account is the root account, ssh keys allowing
> distribution of programs and configuration files aren't secure either.
I was talking about digitally signing the stuff you send to the remote
daemons (binary or script + command + (optionally) allowed hosts). Of
course it's worth nothing if an unencrypted key is lying around the
server - ideally the key should be encrypted and sitting on the
administrator's computer.
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1l4z6dZ+Kt5BchYRAhztAKCUEYp4b82FA1daCjYifLWIcYPNgQCfVLqF
Se5kjUvQOa5NlLy2rgaRi8g=
=piUV
-----END PGP SIGNATURE-----
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]