Thomas Guyot-Sionnest wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 29/08/07 05:07 PM, Andreas Ericsson wrote:
>> Thomas Guyot-Sionnest wrote:
>>> That could easily be done in a secure manner, just require all
>>> distributed packages to be signed and have the public key reside on the
>>> servers. This is what most distributions already do under the hood for
>>> security updates.
>>>
>> Not really, no, since the whole idea of having pre-defined commands
>> in nrpe.cfg is to make sure that the rest of the network stays more
>> or less intact even if someone manages to obtain a user account on
>> the nagios server.
>>
>> Ofcourse, if that user account is the root account, ssh keys allowing
>> distribution of programs and configuration files aren't secure either.
>
> I was talking about digitally signing the stuff you send to the remote
> daemons (binary or script + command + (optionally) allowed hosts). Of
> course it's worth nothing if an unencrypted key is lying around the
> server - ideally the key should be encrypted and sitting on the
> administrator's computer.
>
Yes, I quite understood that. However, such a solution (where the sending
end distributes the check-commands along with the programs) would provide
a single point of entry to every nrpe-monitored machine in the the entire
network which is a very bad thing indeed.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]