Hi, Recent expanded usage of my NRPE daemons has gotten me thinking about better authentication and authorization.
It seems that NRPE is quite lacking in authentication (there is none!). Most of us work around this deficiency by wrapping it xinetd to restrict IP addresses to the monitoring server(s) (at least I do). However this does not really solve anything. There are two problems with even just IP limiting NRPE calls. Firstly, IP Spoofing. Secondly, what if there is more than 1 user account on a server? Any user or developer who has an account on any IP authorized machine can issue NRPE calls to any server running NRPE. This is a real problem if you want to use NRPE to issue remote restarts or take any remedial action that you want to control. Even just the data leakage issue can be quite serious. So... Is there any chance we can have authentication added to NRPE like we do with NSCA where you must have at the very least a shared secret? Going one step further, is it possible to have separate credentials limited to separate calls? This would be most helpful for event handlers... or for different monitoring servers or user accounts. Thanks -h -- Hari Sekhon ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
