31 lines
1.1 KiB
Plaintext
31 lines
1.1 KiB
Plaintext
#! /bin/sh /usr/share/dpatch/dpatch-run
|
|
## 07_warn_ssloption.dpatch by Thijs Kinkhorst <thijs@debian.org>
|
|
##
|
|
## All lines beginning with `## DP:' are a description of the patch.
|
|
## DP: Warn against inadequateness of NRPE's own SSL option.
|
|
|
|
--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100
|
|
+++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100
|
|
@@ -67,14 +67,17 @@
|
|
----------
|
|
|
|
If you do enable support for command arguments in the NRPE daemon,
|
|
-make sure that you encrypt communications either by using:
|
|
-
|
|
- 1. Stunnel (see http://www.stunnel.org for more info)
|
|
- 2. Native SSL support
|
|
+make sure that you encrypt communications either by using, for
|
|
+example, Stunnel (see http://www.stunnel.org for more info).
|
|
|
|
Do NOT assume that just because the daemon is behind a firewall
|
|
that you are safe! Always encrypt NRPE traffic!
|
|
|
|
+NOTE: the currently shipped native SSL support of NRPE is not an
|
|
+adequante protection, because it does not verify clients and
|
|
+server, and uses pregenerated key material. NRPE's SSL option is
|
|
+advised against. For more information, see Debian bug #547092.
|
|
+
|
|
|
|
USING ARGUMENTS
|
|
---------------
|