[Nagiosplug-help] secure remote checks

Thomas Guyot-Sionnest dermoth at aei.ca
Fri Aug 8 06:06:13 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/08/08 09:28 PM, Marshall, Charles wrote:
> Thomas,
> Not sure about certificates, but would you do that? Or instead you can
> tell nrpe to only accept requests from certain Ips.

IP-based authentication is the only mechanism available in NRPE. However
 since it already allow SSL you could use SSL-based certificate
authentication - I believe they are called x509 certs.

The nrpe client would have a certificate that can be used to
authenticate to the daemon in a similar way your browser authenticate
ssl web pages using CA certs (in this case the daemon verify the client
against trusted CA).

I have very little knowledge of it, but I believe it would require:

1. Configuration options on the daemon to activate this feature and
define trusted CAs
2. Switch in check_nrpe to specify the certificate to use for authentication
3. Code using Openssl libs (in both nrpe and check_nrpe) to make the
authentication happen.

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIm8Y16dZ+Kt5BchYRAp3QAKCis1gR5ftGsUG4xhKc/qcLOp9JfgCfZmEO
6/MK54aR29u2bx3PH7WRmlI=
=6JI4
-----END PGP SIGNATURE-----




More information about the Help mailing list