Re: [Nagios-devel] NRPE Code update post
Posted: Thu Jan 30, 2003 8:44 pm
Derrick -
Thanks for the diffs. The NRPE code in CVS right now supports
command arguments (without encryption yet). Rather than using the
EVP cipher functions directly, I think I'll probably end up going for
a full SSL connection. This should handle the encryption portion and
I think the connection handshake/negotiation should provide some
protection against replay attacks. Thoughts?
On 17 Jan 2003 at 8:16, Moe wrote:
> Ethan,
>
> Here are the diffs for the current code, and the changes to the Makefile are.
> LDFLAGS=-I/usr/local/ssl/include -L/usr/local/ssl/lib -R/usr/local/ssl/lib
> SOCKETLIBS= -lnsl -lsocket -lcrypto
>
> Things that need to be changed.
> - My coding is not the greatest, and parts of this were taken from openssl
> samples so there is always room for improvement.
> - The encryption PW is a static variable right now that I want to move to the
> config file and command line.
> - The Encryption Key salt is a static set right now and I want to make it more
> dynamic. I don't want to get into a whole diffe key exchange setup though so I
> was thinking basing it on date or day and hour. This just ensures that each day
> or hour the encoded data would be different.
> - While doing my best to not use strcpy's and only using length limited buffer
> commands I have not completed all the buffer checking overview. Encrypted data
> is weird in that you can't do strlen functions or other so the length has to be
> tracked. That is why I Hex convert the encrypted data to make it suitable for
> transport.
> - This only encrypts the packet buffer.
>
> All comments and code changes welcome.
> This is based on NRPE 1.6 source.
> Thanks for your time.
> Derrick
>
>
>
> Quoting Ethan Galstad :
>
> > Can you post a copy to the list? I'm about to start adding crypto
> > support to NRPE for support of command arguments and want to compare
> > this with libmcrypt before deciding what to use. Thanks.
> >
> >
> > On 15 Jan 2003 at 11:57, local.coder wrote:
> >
> > > Hello all,
> > >
> > > Been a while since I have made any changes and posted but this time it's
> > kind
> > > of a biggy. I have been working on NRPE for the last few days and have
> > added in
> > > tcp buffer encryption for the data going to and from check_nrpe to NRPE for
> > a
> > > local requirement and wanted to get the code into the tree for others to
> > use.
> > > Based on input from Ethan way back I have opted to use the Openssl libs for
> >
> > > encryption so as to limit extra needs and options and to allow for easy
> > > adaptation and selection of encryption routines. However I am not the
> > worlds
> > > best programmer and would like at least one other person to review my
> > diff's or
> > > full code for check_nrpe.c and nrpe.c to validate I haven't made any huge
> > > mistakes or missed something major. So if anyone would like to have a spin
> > with
> > > it please email me and once it's all cleaned up I will post the diff's to
> > here
> > > for the tree if everyone wants it.
> > >
> > > I also have not put in all the happy Define's that say only compile this if
> >
> > > openssl is installed so that may take me some more time as is.
> > >
> > > Thoughts & comments welcome,
> > > Derrick
> > >
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Thanks for the diffs. The NRPE code in CVS right now supports
command arguments (without encryption yet). Rather than using the
EVP cipher functions directly, I think I'll probably end up going for
a full SSL connection. This should handle the encryption portion and
I think the connection handshake/negotiation should provide some
protection against replay attacks. Thoughts?
On 17 Jan 2003 at 8:16, Moe wrote:
> Ethan,
>
> Here are the diffs for the current code, and the changes to the Makefile are.
> LDFLAGS=-I/usr/local/ssl/include -L/usr/local/ssl/lib -R/usr/local/ssl/lib
> SOCKETLIBS= -lnsl -lsocket -lcrypto
>
> Things that need to be changed.
> - My coding is not the greatest, and parts of this were taken from openssl
> samples so there is always room for improvement.
> - The encryption PW is a static variable right now that I want to move to the
> config file and command line.
> - The Encryption Key salt is a static set right now and I want to make it more
> dynamic. I don't want to get into a whole diffe key exchange setup though so I
> was thinking basing it on date or day and hour. This just ensures that each day
> or hour the encoded data would be different.
> - While doing my best to not use strcpy's and only using length limited buffer
> commands I have not completed all the buffer checking overview. Encrypted data
> is weird in that you can't do strlen functions or other so the length has to be
> tracked. That is why I Hex convert the encrypted data to make it suitable for
> transport.
> - This only encrypts the packet buffer.
>
> All comments and code changes welcome.
> This is based on NRPE 1.6 source.
> Thanks for your time.
> Derrick
>
>
>
> Quoting Ethan Galstad :
>
> > Can you post a copy to the list? I'm about to start adding crypto
> > support to NRPE for support of command arguments and want to compare
> > this with libmcrypt before deciding what to use. Thanks.
> >
> >
> > On 15 Jan 2003 at 11:57, local.coder wrote:
> >
> > > Hello all,
> > >
> > > Been a while since I have made any changes and posted but this time it's
> > kind
> > > of a biggy. I have been working on NRPE for the last few days and have
> > added in
> > > tcp buffer encryption for the data going to and from check_nrpe to NRPE for
> > a
> > > local requirement and wanted to get the code into the tree for others to
> > use.
> > > Based on input from Ethan way back I have opted to use the Openssl libs for
> >
> > > encryption so as to limit extra needs and options and to allow for easy
> > > adaptation and selection of encryption routines. However I am not the
> > worlds
> > > best programmer and would like at least one other person to review my
> > diff's or
> > > full code for check_nrpe.c and nrpe.c to validate I haven't made any huge
> > > mistakes or missed something major. So if anyone would like to have a spin
> > with
> > > it please email me and once it's all cleaned up I will post the diff's to
> > here
> > > for the tree if everyone wants it.
> > >
> > > I also have not put in all the happy Define's that say only compile this if
> >
> > > openssl is installed so that may take me some more time as is.
> > >
> > > Thoughts & comments welcome,
> > > Derrick
> > >
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]