> sean finney wrote:
>> On Wednesday 29 August 2007 04:30:53 pm Andreas Ericsson wrote:
>>> francois basquin wrote:
>>>> - modifying nrpe to distribute the plugins on demand. The Nagios server
>>>> could hold the plugins repository, and send the ones missing to the
>>>> client. A timestamp checking should also be needed to distribute new
>>>> versions. Pros: no extra protocol. Cons: needs some development, may
>>>> introduce a lag on the first service call.
>>> Code speaks louder than words. Unfortunately, a very, very small percentage
>>> of the people reading emails on this list are competent programmers enough
>>> to hack up the ideas being sent to this list. Usually those of us who are
>>> aren't interested in making the changes necessary, so it dies down without
>>> ever being even prototyped.
>> furthermore, we're talking about a system where one host on the network
>> basically connects to another host and says "here, run this thing i'm about
>> to give you". i would be very skeptical of *anyone*'s implementation of
>> that, even that very small percentage
>
> That could easily be done in a secure manner, just require all
> distributed packages to be signed and have the public key reside on the
> servers. This is what most distributions already do under the hood for
> security updates.
>
Not really, no, since the whole idea of having pre-defined commands
in nrpe.cfg is to make sure that the rest of the network stays more
or less intact even if someone manages to obtain a user account on
the nagios server.
Ofcourse, if that user account is the root account, ssh keys allowing
distribution of programs and configuration files aren't secure either.
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]