Sebastiaan Couwenberg <sebas...@xs4all.nl> writes: > As documented in /usr/share/doc/nagios-nrpe-server/NEWS.Debian.gz which > is shown to you on upgrade when you have apt-listchanges installed: [...] > Beware that the new NRPE daemon only works with old check_nrpe > plugins when SSL support is disabled on both sides, likewise the > new check_nrpe plugin only works with the old NRPE daemon when SSL > support is disabled.
Oh! I totally didn't see that. Ok. So what I'm trying to do will never work and I need to disable SSL for all NRPE servers as well as on my (Jessie) nagios server. > To use SSL between the NRPE client and server, configuring Stunnel > is recommended. I suppose that disabling SSL, so long as I also disable the NRPE argument processing on the older NRPEs which allow it, won't create too many security issues on an internal network. The most an attacker could do, assuming they could spoof my the one allowed IP that commands can come from, is run the checks configured on the NRPE server. So, there is a denial-of-service risk here but not much more than that.... Pardon me for failing to RTM here. > Due to the signal handler in NRPE you won't easily get a backtrace since > SIGSEGV is caught too and NRPE just continues instead of terminating. If > you can get a backtrace (with debug symbols installed) that would be > helpful. Ok, I'll give it a whack. Lets leave the bug in "moreinfo" until I get that. I do believe I need to rebuild the package with '-g' to get symbols out, which I've done. Off to work for now but I'll give this another attempt, should have result by no later than end of day tomorrow. -- ...Adam Di Carlo...<a...@onshored.com>.......<URL:http://www.onshored.com/>
