What are the reasons to use NRPE?

RijilV rijilv at riji.lv
Mon Apr 27 23:52:01 CEST 2009


2009/4/27 Sean Carolan <scarolan at gmail.com>:
>> I just wonder what the reasons are to use NRPE in favour of checks
>> over ssh with ssh keys. To me, NRPE seems just one more piece of
>> software that may potentioally be broken and more hassle with
>> firewalls. Why do people still use it when ssh checks are just as
>> simple and (in my opinion) far more secure?
>
> I may be in the minority here but I also prefer using ssh with keys
> for our remote nagios checks.  We have a medium sized network, around
> 220 hosts and about 1550 active checks.  The reports of performance
> degradation are greatly exaggerated, IMHO.  Our average check time is
> less than one second which is more than fast enough for our needs.  By
> using ssh we avoided having to install NRPE on several different
> versions of Red Hat, and as you mentioned ssh is much more secure
> especially if you do it right (eg, password protected key, perhaps
> with keychain for loading into ssh-agent after you boot the server
> up).
>


I agree with using SSH.  If you search back through recent lists there
was some talk of using ssh connection master which will make SSH
greatly faster than NRPE.

As for security...not so much.  Both (can) use the same encryption
algorithms.  What really differs is SSH uses asymmetric encryption to
setup the shared keys whereas with NRPE you give it the shared key
(hence NRPE being faster, for the most part).  A shared key VS a
certificate.... I'm not feeling a real win with either side.  In one
case I need to grab a config file, in the other I need to grab a
ssh-key file...

The default to setup NRPE with explicit commands vs just allowing a
user to run arbitrary over SSH, NRPE comes out ahead here.  But its
not really any harder to setup SSH so each key corresponds to a
particular check.  And you can setup NRPE to allow you to execute any
command, which defeats the initial security you gain by limiting which
commands it can run.

As for having passwords on your keys and loading up a
ssh-agent...pffft.  If I can read your private key, I can read your
ssh-agent socket and the unencrypted SSH key stored in RAM from said
ssh-agent process.  The latter might actually be easier if we want to
go down the road of silly security (think firewire and DMA) since the
agent process is always going to be in RAM...


.r'

------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O'Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list