[Nagiosplug-devel] NRPE Protocol

[Hiren Patel]

Michael Wyraz wrote:
> Meanwhile I discovered one interesting thing that made me re-thing my 
> suggestion to the protocol: http://hessian.caucho.com/ - this is a more 
> or less standardized binary protocol that is simple, efficient, 
> well-documented 
> (http://hessian.caucho.com/doc/hessian-serialization.html) and 
> availiable for most languages. So I would recommend to use this as base 
> for the new protocol.
> 
> To the plain protocol different levels of encryption and/or signing 
> could be added. This could either be done using a shared secret (simples 
> way) or by using certificates (IMO the best way; but has the 
> disadvantage that for each node a certificate must be created).
> Another interesting approach it to use a splitted shared secret that 
> consists of one part that is put to the command definition (or to an 
> external file to prevent that it's read via web interface) plus an 
> second part that is defined in the host configuration. Both together 
> would build the really used shared secret. This would it allow to use 
> different shared secrets for each host while keeping the setup simple 
> and without exposing the secrets to the Nagios web interface.
> 
> 
> If you have more suggestions to this, let it discuss here. If there are 
> some crypto experts in this list, please take in the discussion how the 
> nrpe communication can be secured while keeping things easy.
> 

to me, two things stand out to convince the developers to change the 
protocol: the security advantage is needed and useful, and that a redo 
would be better and more efficient.
if most people are using nrpe on a trusted network, I don't see the 
developers being overly convinced to make the change, and if the new 
implementation isn't better in some way, likewise.
not many of the users have asked for better security from nrpe as far as 
  I know, I'd be interested to hear what the developers think of a 
protocol redo.