[Nagiosplug-help] What needs to be done to enable key-and certificate-less SSL handshake with NRPE?

Ralph.Grothe at itdz-berlin.de Ralph.Grothe at itdz-berlin.de
Wed Dec 20 09:58:53 CET 2006


Hello Werner et al.,

sorry, for the belated reply.

> Werner Flamme wrote:
> 
> Adventurously is exactly the right word :-) And about the 
> documentation...
> well...
> 
> To have SSL working, you have to have exactly the same 
> version of nrpe on
> server and client.
>

At least this is true for my Nagios server's platform builds of
nrpe, check_nrpe
and all the check_* plug-ins on that host.
But you are right in assuming that this is not necessarily
consistent with all my
monitored nrpe enabled hosts.
First because of the historic scatter of deployment,
but second more importantly because of the mixed bunch of
hardware and OS platforms
(virtualy almost every survived *nix derrivative).
Many of those nixes don't even come with the most rudimentary
"development" tools
and prerequisite libraries etc. since the big vendors usually
charge equally big license
fees for these add-ons.
But even if our management would spare these extra costs
we still lack "development" boxes of every breed we are supposed
to administer
where one could compile and test the Nagios Exchange or other
software.
(I guess a common experience that I share with the Nagios and
plug-in developers as well)
Therefore I am restricted to only have a minority of nrpe enabled
hosts
and for the vast majority I have to resort to some check_by_ssh
checks if it was more than
checking mere "pingability".

> 
> To avoid ssl handshake, you may use the -n parameter. For 
> example, in my
> /etc/xinetd.d/nagios-nrpe service file, I have a line
>  server_args     = -n -c /etc/sapmon/nrpe.cfg --inetd
> 

Yes, I have heard about that switch.
But on many of my nrpe hosts when invoked with -h
the nrpe binary's help screen doesn't show this option.
I presume because it simply was deliberately compiled by me
with some --disable-ssl configure generated Makefile,
because of absence of any SSL libs (reason mentioned above).

Ok, I admit that I then cannot put the blame on nrpe.

I will have to check my various nrpe builds and if possible
bring them in alignment with the check_nrpe on my Nagios
server...

Regards

Ralph




More information about the Help mailing list