Update to the latest version. Has more modern SSL/TLS support and 2048 bit DH keys.
Moved MASTER_SITES to GitHub. Removed no_ssl FLAVOR as the -n command line switch will disable all SSL. Switched to LibreSSL. I believe this means 512 bit DH keys wont work but DH is being deprecated altogether anyway. I've left command args disabled but it's a config option so if we think people use it and accept te risk, I could compile it in. I've tested plain text with -n and DH (which is the default) but haven't gotten to SSL, yet. I've only been testing with check_nrpe on an amd64 system. Trying to get some early feedback on the port and patches. Versions and support differ between OpenSSL and LibreSSL so I am hoping I made the right choices. Tim. Index: Makefile =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/Makefile,v retrieving revision 1.34 diff -u -p -r1.34 Makefile --- Makefile 12 Jul 2019 20:48:33 -0000 1.34 +++ Makefile 10 Nov 2019 01:05:46 -0000 @@ -2,8 +2,8 @@ COMMENT= Nagios Remote Plugin Executor -DISTNAME= nrpe-2.15 -REVISION= 10 +DISTNAME= nrpe-3.2.1 + CATEGORIES= net HOMEPAGE= http://www.nagios.org/ @@ -11,40 +11,28 @@ HOMEPAGE= http://www.nagios.org/ # GPL PERMIT_PACKAGE= Yes -WANTLIB= c - -FLAVOR?= -FLAVORS= no_ssl +WANTLIB= c crypto ssl -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=nagios/} +MASTER_SITES= https://github.com/NagiosEnterprises/nrpe/releases/download/${DISTNAME}/ RUN_DEPENDS= net/monitoring-plugins CONFIGURE_STYLE= gnu CONFIGURE_ARGS+= --libexecdir=${LOCALBASE}/libexec/nagios \ --with-nrpe-user=_nrpe \ - --with-nrpe-group=_nrpe - -.if ${FLAVOR:Mno_ssl} -CONFIGURE_ARGS+= --disable-ssl -.else -WANTLIB+= lib/eopenssl/crypto lib/eopenssl/ssl -LIB_DEPENDS= security/openssl/1.0.2 -CONFIGURE_ENV= CFLAGS="${CFLAGS} -nostdinc -I${LOCALBASE}/include/eopenssl -I/usr/include" \ - LDFLAGS="-L${LOCALBASE}/lib/eopenssl -Wl,-rpath,${LOCALBASE}/lib/eopenssl" -.endif - -pre-configure: - @${SUBST_CMD} ${WRKSRC}/src/nrpe.c + --with-nrpe-group=_nrpe \ + --with-piddir=/var/run/nrpe do-install: ${INSTALL_DATA_DIR} ${PREFIX}/libexec/nagios ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/nrpe ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/nrpe - ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/nrpe - ${INSTALL_DATA} ${WRKSRC}/SECURITY ${PREFIX}/share/doc/nrpe + ${INSTALL_DATA} ${WRKSRC}/README*.md ${PREFIX}/share/doc/nrpe + ${INSTALL_DATA} ${WRKSRC}/SECURITY.md ${PREFIX}/share/doc/nrpe + ${INSTALL_DATA} ${WRKSRC}/docs/NRPE.* ${PREFIX}/share/doc/nrpe ${INSTALL_DATA} ${WRKSRC}/sample-config/nrpe.cfg ${PREFIX}/share/examples/nrpe ${INSTALL_PROGRAM} ${WRKSRC}/src/check_nrpe ${PREFIX}/libexec/nagios + ${INSTALL_PROGRAM} ${WRKSRC}/update-cfg.pl ${PREFIX}/libexec/nagios ${INSTALL_PROGRAM} ${WRKSRC}/src/nrpe ${PREFIX}/sbin NO_TEST= Yes Index: distinfo =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/distinfo,v retrieving revision 1.10 diff -u -p -r1.10 distinfo --- distinfo 17 Sep 2013 21:22:26 -0000 1.10 +++ distinfo 10 Nov 2019 01:05:46 -0000 @@ -1,2 +1,2 @@ -SHA256 (nrpe-2.15.tar.gz) = Zjg7fTZ94lugMdN3Ytg+K1XeAQxXMAnG9YJwsTcTEHI= -SIZE (nrpe-2.15.tar.gz) = 419695 +SHA256 (nrpe-3.2.1.tar.gz) = itLRhGq5AR/dKUK4/AyZ362al+V/Sj5uOUpOrZnA8fA= +SIZE (nrpe-3.2.1.tar.gz) = 518015 Index: patches/patch-configure =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/patches/patch-configure,v retrieving revision 1.5 diff -u -p -r1.5 patch-configure --- patches/patch-configure 17 Sep 2013 21:22:27 -0000 1.5 +++ patches/patch-configure 10 Nov 2019 01:05:46 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-configure,v 1.5 2013/09/17 21:22:27 sthen Exp $ ---- configure.orig Fri Sep 6 16:27:13 2013 -+++ configure Tue Sep 17 22:16:49 2013 -@@ -6714,7 +6714,7 @@ echo $ECHO_N "checking for SSL libraries... $ECHO_C" > - else - soext="so" - fi -- if test -f "$dir/libssl.$soext"; then -+ if test -f "$dir/libssl.$soext" -o -f "$dir/libssl.a"; then - found_ssl=yes - break - fi Index: patches/patch-sample-config_nrpe_cfg_in =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/patches/patch-sample-config_nrpe_cfg_in,v retrieving revision 1.2 diff -u -p -r1.2 patch-sample-config_nrpe_cfg_in --- patches/patch-sample-config_nrpe_cfg_in 17 Apr 2013 15:15:16 -0000 1.2 +++ patches/patch-sample-config_nrpe_cfg_in 10 Nov 2019 01:05:46 -0000 @@ -4,23 +4,15 @@ $OpenBSD: patch-sample-config_nrpe_cfg_i not existing, it's stupid to check individual FS when they're split up as usual with OpenBSD. ---- sample-config/nrpe.cfg.in.orig Mon Dec 17 13:44:46 2012 -+++ sample-config/nrpe.cfg.in Wed Apr 17 15:35:57 2013 -@@ -23,7 +23,7 @@ log_facility=@log_facility@ - # number. The file is only written if the NRPE daemon is started by the root - # user and is running in standalone mode. +Index: sample-config/nrpe.cfg.in +--- sample-config/nrpe.cfg.in.orig ++++ sample-config/nrpe.cfg.in +@@ -297,7 +297,7 @@ connection_timeout=300 --pid_file=/var/run/nrpe.pid -+pid_file=/var/run/nrpe/nrpe.pid - - - -@@ -218,7 +218,7 @@ connection_timeout=300 - - command[check_users]=@libexecdir@/check_users -w 5 -c 10 - command[check_load]=@libexecdir@/check_load -w 15,10,5 -c 30,25,20 --command[check_hda1]=@libexecdir@/check_disk -w 20% -c 10% -p /dev/hda1 -+command[check_disk]=@libexecdir@/check_disk -w 20% -c 10% - command[check_zombie_procs]=@libexecdir@/check_procs -w 5 -c 10 -s Z - command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200 + command[check_users]=@pluginsdir@/check_users -w 5 -c 10 + command[check_load]=@pluginsdir@/check_load -r -w .15,.10,.05 -c .30,.25,.20 +-command[check_hda1]=@pluginsdir@/check_disk -w 20% -c 10% -p /dev/hda1 ++command[check_disk]=@pluginsdir@/check_disk -w 20% -c 10% + command[check_zombie_procs]=@pluginsdir@/check_procs -w 5 -c 10 -s Z + command[check_total_procs]=@pluginsdir@/check_procs -w 150 -c 200 Index: patches/patch-src_check_nrpe_c =================================================================== RCS file: patches/patch-src_check_nrpe_c diff -N patches/patch-src_check_nrpe_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_check_nrpe_c 10 Nov 2019 01:05:46 -0000 @@ -0,0 +1,41 @@ +$OpenBSD$ + +Index: src/check_nrpe.c +--- src/check_nrpe.c.orig ++++ src/check_nrpe.c +@@ -148,11 +148,7 @@ int main(int argc, char **argv) + if (timeout_return_code == -1) + timeout_return_code = STATE_CRITICAL; + if (sslprm.cipher_list[0] == '\0') +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 +- strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", MAX_FILENAME_LENGTH - 1); +-#else + strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH", MAX_FILENAME_LENGTH - 1); +-#endif + if (sslprm.ssl_proto_ver == SSL_Ver_Invalid) + sslprm.ssl_proto_ver = TLSv1_plus; + if (sslprm.allowDH == -1) +@@ -723,11 +719,7 @@ void usage(int result) + printf(" TLSv1.2 TLS v1.2 only\n"); + printf(" TLSv1.2+ TLS v1.2 or above\n"); + printf(" -L, --cipher-list=LIST The list of SSL ciphers to use (currently defaults\n"); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 +- printf(" to \"ALL:!MD5:@STRENGTH:@SECLEVEL=0\". THIS WILL change in a future release.)\n"); +-#else + printf(" to \"ALL:!MD5:@STRENGTH\". THIS WILL change in a future release.)\n"); +-#endif + printf(" -C, --client-cert=FILE The client certificate to use for PKI\n"); + printf(" -K, --key-file=FILE The private key to use with the client certificate\n"); + printf(" -A, --ca-cert-file=FILE The CA certificate to use for PKI\n"); +@@ -960,11 +952,7 @@ void setup_ssl() + } else { + /* use anonymous DH ciphers */ + if (sslprm.allowDH == 2) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 +- strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1); +-#else + strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1); +-#endif + } + } + Index: patches/patch-src_nrpe_c =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/patches/patch-src_nrpe_c,v retrieving revision 1.10 diff -u -p -r1.10 patch-src_nrpe_c --- patches/patch-src_nrpe_c 23 Mar 2015 09:16:55 -0000 1.10 +++ patches/patch-src_nrpe_c 10 Nov 2019 01:05:46 -0000 @@ -1,98 +1,38 @@ -$OpenBSD: patch-src_nrpe_c,v 1.10 2015/03/23 09:16:55 sthen Exp $ +$OpenBSD$ -- http://seclists.org/fulldisclosure/2014/Apr/240 plus \r suggested on oss-sec -- fix reading of non-blocking sockets -- don't remove the pidfile when accept(2) or getpeername(2) fail. - Author: Hiren Patel - From: http://comments.gmane.org/gmane.network.nagios.devel/6774 - Bug-Ubuntu: https://launchpad.net/bugs/1126890 - ---- src/nrpe.c.orig Fri Sep 6 16:27:13 2013 -+++ src/nrpe.c Mon Mar 23 09:01:19 2015 -@@ -30,6 +30,8 @@ - #include "utils.h" - #include "acl.h" - -+#include <poll.h> -+ - #ifdef HAVE_SSL - #include "../include/dh.h" - #endif -@@ -53,7 +55,7 @@ int use_ssl=FALSE; - - #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ - #define MAXFD 64 --#define NASTY_METACHARS "|`&><'\"\\[]{};" -+#define NASTY_METACHARS "|`&><'\"\\[]{};\r\n" - #define howmany(x,y) (((x)+((y)-1))/(y)) - #define MAX_LISTEN_SOCKS 16 - -@@ -61,7 +63,7 @@ int use_ssl=FALSE; - char *command_name=NULL; - char *macro_argv[MAX_COMMAND_ARGUMENTS]; - --char config_file[MAX_INPUT_BUFFER]="nrpe.cfg"; -+char config_file[MAX_INPUT_BUFFER]="/etc/nrpe.cfg"; - int log_facility=LOG_DAEMON; - int server_port=DEFAULT_SERVER_PORT; - char server_address[NI_MAXHOST]=""; -@@ -100,7 +102,9 @@ int debug=FALSE; - int use_src=FALSE; /* Define parameter for SRC option */ - - -+#ifdef HAVE_SSL - void complete_SSL_shutdown( SSL *); -+#endif +Index: src/nrpe.c +--- src/nrpe.c.orig ++++ src/nrpe.c +@@ -83,7 +83,7 @@ struct addrinfo *listen_addrs = NULL; + int listen_socks[MAX_LISTEN_SOCKS]; + char remote_host[MAX_HOST_ADDRESS_LENGTH]; + char *macro_argv[MAX_COMMAND_ARGUMENTS]; +-char config_file[MAX_INPUT_BUFFER] = "nrpe.cfg"; ++char config_file[MAX_INPUT_BUFFER] = "/etc/nrpe.cfg"; + char server_address[NI_MAXHOST] = ""; + char *command_name = NULL; + int log_facility = LOG_DAEMON; +@@ -147,11 +147,7 @@ struct _SSL_PARMS { + ClntCerts client_certs; + SslLogging log_opts; + } sslprm = { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 +-NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging}; +-#else + NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging}; +-#endif - int main(int argc, char **argv){ -@@ -969,8 +973,14 @@ void wait_for_connections(void){ - continue; - - /* socket is nonblocking and we don't have a connection yet */ -- if(errno==EAGAIN) -+ if(errno==EAGAIN){ -+ struct pollfd pfd; -+ -+ pfd.fd = sock; -+ pfd.events = POLLIN; -+ poll(&pfd,1,-1); - continue; -+ } - - /* fix for HP-UX 11.0 - just retry */ - if(errno==ENOBUFS) -@@ -998,7 +1008,7 @@ void wait_for_connections(void){ - /* close socket prioer to exiting */ - close(sock); - -- return; -+ exit(STATE_CRITICAL); - } - - /* handle signals */ -@@ -1022,7 +1032,7 @@ void wait_for_connections(void){ - /* close socket prior to exiting */ - close(new_sd); - -- return; -+ exit(STATE_CRITICAL); - } - - /* is this is a blessed machine? */ -@@ -1796,6 +1806,7 @@ int remove_pid_file(void){ - return OK; - } - -+#ifdef HAVE_SSL - void complete_SSL_shutdown( SSL *ssl) { - - /* -@@ -1816,6 +1827,7 @@ void complete_SSL_shutdown( SSL *ssl) { - if( SSL_shutdown( ssl)) break; - } - } -+#endif + #ifdef HAVE_SSL +@@ -445,11 +441,7 @@ void init_ssl(void) + } else { + /* use anonymous DH ciphers */ + if (sslprm.allowDH == 2) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 +- strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1); +-#else + strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1); +-#endif + } - /* bail if daemon is running as root */ - int check_privileges(void){ + #ifdef USE_SSL_DH Index: patches/patch-subst_in =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/patches/patch-subst_in,v retrieving revision 1.1 diff -u -p -r1.1 patch-subst_in --- patches/patch-subst_in 3 Apr 2019 14:01:29 -0000 1.1 +++ patches/patch-subst_in 10 Nov 2019 01:05:46 -0000 @@ -1,21 +0,0 @@ -$OpenBSD: patch-subst_in,v 1.1 2019/04/03 14:01:29 naddy Exp $ - -Index: subst.in ---- subst.in.orig -+++ subst.in -@@ -25,13 +25,13 @@ sub replace_var { - } - } - my $replacement = $cvp->{ $varname}->{ "value"}; -- $$filep =~ s/\${$varname}/$replacement/g; -+ $$filep =~ s/\$\{$varname}/$replacement/g; - $cvp->{ $varname}->{ "replaced"} = 1; - } - - # Figure out the dependencies. - foreach my $cv ( keys %configvars ) { -- if( $configvars{ $cv}->{ "value"} =~ /\${([^}]+)}/) { -+ if( $configvars{ $cv}->{ "value"} =~ /\$\{([^}]+)}/) { - my $dependency = $1; - if( exists( $configvars{ $dependency})) { - $configvars{ $dependency}->{ "dependency"} = $cv; Index: pkg/DESCR =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/pkg/DESCR,v retrieving revision 1.2 diff -u -p -r1.2 DESCR --- pkg/DESCR 23 Mar 2015 09:16:55 -0000 1.2 +++ pkg/DESCR 10 Nov 2019 01:05:46 -0000 @@ -2,8 +2,5 @@ NRPE is an addon for Nagios that allows (like check_disk, check_procs, etc.) on remote hosts. The check_nrpe plugin is called from Nagios and makes plugin execution requests to the NRPE daemon running on the remote host (either as a standalone daemon -or as a service under inetd). Supports passing command arguments to -server, as well as native SSL/TLS encryption (anonymous DH mode). - -Flavours: - no_ssl - disable SSL support +or as a service under inetd). Supports native SSL/TLS encryption and +(deprecated) anonymous DH mode. Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/nagios/nrpe/pkg/PLIST,v retrieving revision 1.4 diff -u -p -r1.4 PLIST --- pkg/PLIST 20 Jan 2011 14:04:42 -0000 1.4 +++ pkg/PLIST 10 Nov 2019 01:05:46 -0000 @@ -1,12 +1,16 @@ @comment $OpenBSD: PLIST,v 1.4 2011/01/20 14:04:42 sthen Exp $ @newgroup _nrpe:556 @newuser _nrpe:556:_nrpe:daemon:NRPE Account:/nonexistent:/sbin/nologin +@rcscript ${RCDIR}/nrpe @bin libexec/nagios/check_nrpe +libexec/nagios/update-cfg.pl @bin sbin/nrpe share/doc/nrpe/ -share/doc/nrpe/README -share/doc/nrpe/SECURITY +share/doc/nrpe/NRPE.odt +share/doc/nrpe/NRPE.pdf +share/doc/nrpe/README.SSL.md +share/doc/nrpe/README.md +share/doc/nrpe/SECURITY.md share/examples/nrpe/ share/examples/nrpe/nrpe.cfg @sample ${SYSCONFDIR}/nrpe.cfg -@rcscript ${RCDIR}/nrpe
