[Nagiosplug-help] What needs to be done to enable key-and certificate-less SSL handshake with NRPE?

Thomas Guyot-Sionnest dermoth at aei.ca
Thu Dec 21 02:01:28 CET 2006


Ralph.Grothe at itdz-berlin.de wrote:
> Hello Werner et al.,
> 
> sorry, for the belated reply.
> 
>> Werner Flamme wrote:
>>
>> Adventurously is exactly the right word :-) And about the 
>> documentation...
>> well...
>>
>> To have SSL working, you have to have exactly the same 
>> version of nrpe on
>> server and client.
>>
> 
> At least this is true for my Nagios server's platform builds of
> nrpe, check_nrpe
> and all the check_* plug-ins on that host.
> But you are right in assuming that this is not necessarily
> consistent with all my
> monitored nrpe enabled hosts.
> First because of the historic scatter of deployment,
> but second more importantly because of the mixed bunch of
> hardware and OS platforms
> (virtualy almost every survived *nix derrivative).
> Many of those nixes don't even come with the most rudimentary
> "development" tools
> and prerequisite libraries etc. since the big vendors usually
> charge equally big license
> fees for these add-ons.
> But even if our management would spare these extra costs
> we still lack "development" boxes of every breed we are supposed
> to administer
> where one could compile and test the Nagios Exchange or other
> software.
> (I guess a common experience that I share with the Nagios and
> plug-in developers as well)
> Therefore I am restricted to only have a minority of nrpe enabled
> hosts
> and for the vast majority I have to resort to some check_by_ssh
> checks if it was more than
> checking mere "pingability".

Have you considered using GNU tools instead of vendor's proprietary ones?

That's the exact same problem that put GNU on his feet. Years ago people
were buying GNU disks instead of paying their vendor the big price for
approximately the same thing.

>> To avoid ssl handshake, you may use the -n parameter. For 
>> example, in my
>> /etc/xinetd.d/nagios-nrpe service file, I have a line
>>  server_args     = -n -c /etc/sapmon/nrpe.cfg --inetd
>>
> 
> Yes, I have heard about that switch.
> But on many of my nrpe hosts when invoked with -h
> the nrpe binary's help screen doesn't show this option.
> I presume because it simply was deliberately compiled by me
> with some --disable-ssl configure generated Makefile,
> because of absence of any SSL libs (reason mentioned above).

OpenSSL if free as well. Have you tried it?

> Ok, I admit that I then cannot put the blame on nrpe.
> 
> I will have to check my various nrpe builds and if possible
> bring them in alignment with the check_nrpe on my Nagios
> server...
> 

So you should at least try to compile GNU tools and OpenSSL from source.
If your machines are really too old to compile those you may consider
running Linux or BSD on them....


Thomas




More information about the Help mailing list