Query on NSClient authentication details

[bsivavani]

Hi,

We have observed that check_nt plugin using password using -s option and it is in decrypt format (plain text).

Kindly let us know if there is any way to encrypt the password as the user don't want to see the nsclient password in nsclient.ini file due to some security reasons.

Kindly let us know if there is any process to encrypt the nsclient password or any suggestions on this request.

[lmiltchev]

I don't believe there is a method to encrypt the NSClient++ password (for check_nt), however you could place it in a user macro. This way, it won't be in "plain sight" - it will be stored in a file (/usr/local/nagios/etc/resource.cfg) on the Nagios XI server.

To find out how to implement user macros in Nagios XI, please review our documentation on the topic below:

https://assets.nagios.com/downloads/nag ... Macros.pdf

[manojkonda]

Hi lmiltchev,

Thanks for the reply.

If i'm not wrong, looks like this Macros are created on the Nagios XI server to hide the passwords mentioned in the commands.

But what we are looking is to hide/encrypt the password that is mentioned in the nsclient.ini file due to some security issues.

Is that possible to hide or encrypt that password ?

[mcapra]

You should be able to run the agent with the -encrypt flag to obfuscate the password in the NSClient++ configuration file. This isn't actually "encrypting" anything, but the password will at least not be stored in plain-text.

[Settings]
;# OBFUSCATED PASSWORD
; This is the same as the password option but here you can store the password in an obfuscated manner.
; *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this file can still figure out the
; password. Its just a bit harder to do it at first glance.
;obfuscated_password=Jw0KAUUdXlAAUwASDAAB

More info here:
https://sourceforge.net/p/nscplus/discu ... /1be0e533/

[lmiltchev]

Thanks @mcapra!

@manojkonda, did mcapra answer your question?

[manojkonda]

@mcapra, thank you for the response. We will check this option.

Is it possible to Encrypt the password completely than just obfuscating it ? As we have a setup which is completely secured and the client doesn't want any of these passwords to be mentioned any where without encrypting them.

Any help on this is much appreciated

Thank You !

[lmiltchev]

Again, I don't think it is possible to encrypt the check_nt password in NSClient++.

https://sourceforge.net/p/nscplus/discu ... /1be0e533/

I would recommend asking the developer of NSClient++ directly. He should be able to clarify this for you.

[bsivavani]

You should be able to run the agent with the -encrypt flag to obfuscate the password in the NSClient++ configuration file. This isn't actually "encrypting" anything, but the password will at least not be stored in plain-text.

Can you suggest how to use -encrypt option to generate obfuscated password ?

We tried as mentioned in the below link, but we didn't find NSClient++.exe file anywhere in C:\Program Files\NSclient
https://sourceforge.net/p/nscplus/discu ... /1be0e533/

[lmiltchev]

This is an old post. The executable is called nscp.exe now (not NSClient++.exe). It is usually located in the "C:\Program Files\NSClient++" directory.

Having said that, I tried running "nscp -encrypt", but this didn't work for me. It seems like this option is no longer available (in the newer versions of NSClient++), at least I don't see it in the help menu. There have been a push towards deprecating check_nt, and using check_nrpe instead, so it is possible that the "-encrypt" option has been removed.

Again, I would recommend posting your question on the NSClient++ support forum, and getting some clarification by the developer. Thank you!

[bsivavani]

Thanks for the update. We have posted on to NSClient++ forum.