On Thu, 07 Feb 2013, Matt Taggart wrote: > As pointed out in a previous message to the bug, #547092 > "nagios-nrpe-server: Insecure 'SSL' option, key identical for all > debian systems" is severity grave due to the security problem it > introduces in the service (but not critical since the problem is > limited to the nrpe service). I have adjusted it. > > This bug hasn't had any activity for almost a year and was mostly > shouting before that. This package shouldn't be in testing/stable > until this is fixed lest others (as I did) spend a bunch of effort > implementing lots of nrpe based checks before realizing they just > opened a security hole on all their systems... > > If this can't be solved, maybe we could recommend better > alternatives? In fact nothing is new here and security wouldn't change much with different keys. The implementation ist just broken. But if you have an idea to improve it, feel free to send a patch. (as long as it doesn't make nrpe incompatible to upstreams nrpe).
Alternatives would be check_by_ssh, check_mk, snmp. There are also some nrpe replacements flying around but I never tested one of them. Alex -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
