Kevin Keane skrev: > Wouldn't the SSL certificates provide authentication comparable to SSH > keys? I'm not familiar with how NRPE uses SSL, but I would assume that > you could also use client certificates? > I am no expert but AFAIK it merely encrypts the traffic ie, no certificates at all. If someone knows hoe to use certificates please feel free to let me know so I can add it to NSClient++ but what I have seen it is not possible...
// Michael Medin > Michael Medin wrote: > >> Sorry to barge in (without reading the thread but...) >> >> Security wise NRPE lacks any form of authentication which is something >> SSH has so in this regard SSH is the more secure one... >> >> >> // Michael Medin >> >> Idriss ARABBAJ skrev: >> >> >>> Hi Kevin, >>> >>> I carefully read your speech about this subject and I found you a lot >>> of insist on security offering by ssh, but you can also configure >>> nrpe to work with ssl so I think we will have no difference at this >>> level, then what do you think? >>> best regards >>> >>> 2009/3/25 Kevin Keane <subscript...@kkeane.com>: >>> >>> >>> >>>> I think you are comparing apples and oranges here, because in most >>>> situations that I can think of, the decision is dictated by the network >>>> topology. If you are exclusively on a trusted private network, >>>> check_by_ssh really doesn't offer any benefits. Conversely, if your >>>> topology involves the Internet or some other untrusted network (WiFi), >>>> then you wouldn't want NRPE in the first place. >>>> >>>> The only exception to the above that I can think of is when it comes to >>>> deciding between using check_by_ssh over an untrusted network, vs. NRPE >>>> through some other kind of tunnel or VPN. But in that case, you'd incur >>>> encryption overhead either way, and the comparison is very different >>>> from the question you asked. >>>> >>>> All that said: I don't have any first-hand experience, but I suspect >>>> that the impact of establishing 2200 ssh connections in a five-minute >>>> span (assuming that you are using a five-minute check interval) is >>>> pretty substantial. The main impact actually lies in establishing and >>>> tearing down the connections, key negotiations etc.; the encryption >>>> during the data phase probably has only limited impact because most >>>> checks only transmit a few bytes back and forth. >>>> >>>> SSH does much better with longer-duration connections when the keys are >>>> already exchanged. This is even more true if you have a router-based >>>> VPN, because in that case the overhead is offloaded to a different machine. >>>> >>>> So if you have the option of sending the checks as NRPE through one or a >>>> few long-term VPNs: you are probably going to be better off. Of course, >>>> in the big picture, your mileage may vary. >>>> >>>> Christopher McAtackney wrote: >>>> >>>> >>>> >>>>> Hi all, >>>>> >>>>> I was wondering if someone could give a brief overview of the pros / >>>>> cons of using NRPE to monitor my remote hosts versus using the >>>>> check_by_ssh command? >>>>> >>>>> I'm aware that check_by_ssh increases the CPU overhead, but I'm not >>>>> clear on the level of impact here - does this increase the load on the >>>>> monitoring machine in direction relation to the number of hosts being >>>>> monitored? For example, if I was using check_by_ssh to monitor, say, >>>>> 2000 services spread across 200 hosts, would I experience significant >>>>> slowdown on my monitoring machine? >>>>> >>>>> Cheers for any info, >>>>> >>>>> Chris >>>>> >>>>> > > ------------------------------------------------------------------------------ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null