NRPE vs. check_by_ssh

Michael Medin michael at medin.name
Wed Mar 25 19:53:50 CET 2009


Kevin Keane skrev:
> Wouldn't the SSL certificates provide authentication comparable to SSH 
> keys? I'm not familiar with how NRPE uses SSL, but I would assume that 
> you could also use client certificates?
>   
I am no expert but AFAIK it merely encrypts the traffic ie, no 
certificates at all. If someone knows hoe to use certificates please 
feel free to let me know so I can add it to NSClient++ but what I have 
seen it is not possible...

// Michael Medin
> Michael Medin wrote:
>   
>> Sorry to barge in (without reading the thread but...)
>>
>> Security wise NRPE lacks any form of authentication which is something 
>> SSH has so in this regard SSH is the more secure one...
>>
>>
>> // Michael Medin
>>
>> Idriss ARABBAJ skrev:
>>   
>>     
>>> Hi Kevin,
>>>
>>> I carefully read your speech about this subject and I found you a lot
>>> of insist on security  offering by  ssh, but  you can also configure
>>> nrpe to work with ssl so I think we will have no difference at this
>>> level, then what do you think?
>>> best regards
>>>
>>> 2009/3/25 Kevin Keane <subscription at kkeane.com>:
>>>   
>>>     
>>>       
>>>> I think you are comparing apples and oranges here, because in most
>>>> situations that I can think of, the decision is dictated by the network
>>>> topology. If you are exclusively on a trusted private network,
>>>> check_by_ssh really doesn't offer any benefits. Conversely, if your
>>>> topology involves the Internet or some other untrusted network (WiFi),
>>>> then you wouldn't want NRPE in the first place.
>>>>
>>>> The only exception to the above that I can think of is when it comes to
>>>> deciding between using check_by_ssh over an untrusted network, vs. NRPE
>>>> through some other kind of tunnel or VPN. But in that case, you'd incur
>>>> encryption overhead either way, and the comparison is very different
>>>> from the question you asked.
>>>>
>>>> All that said: I don't have any first-hand experience, but I suspect
>>>> that the impact of establishing 2200 ssh connections in a five-minute
>>>> span (assuming that you are using a five-minute check interval) is
>>>> pretty substantial. The main impact actually lies in establishing and
>>>> tearing down the connections, key negotiations etc.; the encryption
>>>> during the data phase probably has only limited impact because most
>>>> checks only transmit a few bytes back and forth.
>>>>
>>>> SSH does much better with longer-duration connections when the keys are
>>>> already exchanged. This is even more true if you have a router-based
>>>> VPN, because in that case the overhead is offloaded to a different machine.
>>>>
>>>> So if you have the option of sending the checks as NRPE through one or a
>>>> few long-term VPNs: you are probably going to be better off. Of course,
>>>> in the big picture, your mileage may vary.
>>>>
>>>> Christopher McAtackney wrote:
>>>>     
>>>>       
>>>>         
>>>>> Hi all,
>>>>>
>>>>> I was wondering if someone could give a brief overview of the pros /
>>>>> cons of using NRPE to monitor my remote hosts versus using the
>>>>> check_by_ssh command?
>>>>>
>>>>> I'm aware that check_by_ssh increases the CPU overhead, but I'm not
>>>>> clear on the level of impact here - does this increase the load on the
>>>>> monitoring machine in direction relation to the number of hosts being
>>>>> monitored? For example, if I was using check_by_ssh to monitor, say,
>>>>> 2000 services spread across 200 hosts, would I experience significant
>>>>> slowdown on my monitoring machine?
>>>>>
>>>>> Cheers for any info,
>>>>>
>>>>> Chris
>>>>>         
>>>>>           
>
>   

------------------------------------------------------------------------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list