check_nrpe using certificates

[Fred Kroeger]

I need to setup monitoring at a site where it is mandatory to encrypt all comms and authenticate using certificates.
With nsclient++, I can see in nsclient.ini where I can define these, but where do I do this with the standard check_nrpe command on the Nagios Server?

I've seen the article referred to in other posts - https://web.archive.org/web/20130120204 ... ntication/
but my reading of this is that I need to install nsclient++ on the Nagios Server to implement certificates?

Are there any solutions using the standard check_nrpe command without having to install nsclient++ on the Nagios server - and I'm guessing on any Unix serevr that I need to monitor?

Thanks... Fred

[jdalrymple]

The nsclient solution is the only one I know of that uses NRPE as a protocol. FWIW - it does work well.

Your other secure options are NCPA and check_by_ssh.

[Box293]

I did see the developer make this comment the other day:
https://github.com/mickem/nscp/issues/193

IN the next version the plan is to create a light weight package with only check_nrpe to make transition easier

So it's on the horizon from the developers point of view.

[Fred Kroeger]

Thanks for the feedback guys. I'll have to have a long think about this.

[WillemDH]

Hey Fred, I'm also working on this topic, (https://github.com/mickem/nscp/issues/193 was created by me. I think it is already possible, but you do need some knowledge about ca's and pki. Let us know if you decide to go the check_nrpe ssl way. As far as I know, in order to trust your connection, you will need a certificate signed by a ca.
Is this already possible with check_ncpa? I don't think a self-signed certificate is 100 % secure? Please correct me if I'm wrong.

[jdalrymple]

I don't think a self-signed certificate is 100 % secure? Please correct me if I'm wrong.

As far as "secure" goes, it's as secure as the CA is. It is quite possible (and even fairly likely) that your CA is more secure than say Verisign or the likes are. When a root certificate (or any certs leading up to the root) are compromised that's when security fails.

What you're probably thinking is trust. The fact of the matter is that by default check_ncpa.py will trust any certificate presented by the daemon, so while security is still potentially strong, trustworthiness isn't.

As for trusted certificate security in NCPA - it isn't there yet, but it's very much on the roadmap.

A timely blog post: https://googleonlinesecurity.blogspot.c ... urity.html

[Fred Kroeger]

Thanks all - I'm not sure that I want to install NSClient on the Nagios Server to allow the use of certificates when connecting to an agent.
I'm trying to keep my NagiosXI installation as standard as possible.
The check_nrpe command doesn't provide any options to pass certificate details to - but for us it would be the preferred commamd to use.
Do you have any info on using check_nrpe and certificates ?

Fred

[jdalrymple]

Do you have any info on using check_nrpe and certificates ?

It's just not possible. Not part of the code.

I'd refer you back to my original post for the best alternatives:

Your other secure options are NCPA and check_by_ssh.

[Fred Kroeger]

Thanks - I guess you can close this.
Fred