Off topic but...
Hi Michael On Fri, 2013-02-08 at 00:55 +0100, Michael Friedrich wrote: > i've tried the idea of the ssl x509 patch in an unofficial nrpe fork. > lives in git here, until it dies, and will never get released, so > beware: https://git.icinga.org/?p=icinga-irpe.git;a=summary If nothing speaks against ssh (and at least the performance problems are IMHO solved), that I would suggest that the long term plan should be to drop any solution as NRPE. What it does it remotely executing commands - well we already have a protocol for that: ssh ... which supports many different auth methods (certs, ssh keys, krb, etc.) > the nrpe implementation as is an entire mess, and one would rather > rewrite it entirely than fix the ssl issue just for sanity. besides - > the dh key gets generated on each configure run. so at least only the > same package revisions share the same key. That doesn't help,... still any other side with any other key can connect. > the future in icinga regards will introduce a new agent, based on the > (already in dev) existing icinga2 message protocol (native v4/v6, x509, > compression). but it's not yet implemented as it's planned for a later > milestone this year. Does it give anything that ssh doesn't have? Another protocol is just another thing to develop, maintain and another attack target. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
