This is a rewrite from the ground up of NRPE. This set of programs allows you to run Nagios check scripts on a remote host.
Real, proper SSL (TLS, actually). The server/executor component needs a key and certificate, and can optionally validate clients against a provided SSL certificate authority (or the system one). The client also validates the server name given in certificates and can validate the certificate against the system CA list or a provided CA.
Safe command-line argument passing. Arguments are passed without any interpolation to the check script. Missing arguments are simply passed as empty arguments. Quoting within the configuration file is respected.
Named arguments are supported. If you had trouble working out what $ARG7$ in your check script was for, you can now call it something sensible instead.
No. It has several weaknesses and issues that make it unsuitable:
Its SSL mode does very little for security. It does not use certificates or keys. It simply does a plain DH Key Exchange using a well-known "secret", and cannot validate that the client or server it is talking to is correctly authorised. It prevents passive snooping of the connection, but does not help against man-in-the-middle attacks.
Its command-line argument passing capability is riddled with security holes. All commands are run by passing them to a shell, which exposes a great number of attacks using shell expansion characters.
Why now? The command-line execution mode of NRPE was disabled in the packages currently (as of this writing) in Debian Jessie in response to CVE-2014-2913 (Debian bug #745272). I felt I really needed this functionality, but the bugs are too severe to fix properly. I felt that re-implementing it from the ground up with the features that I want was a good thing to do.
This project is not endorsed nor authorised by Nagios Enterprises, LLC. I just picked the name as it seemed to be a good name to describe an improved re-implementation of NRPE.
Copyright (C) 2014-17 Chris Boot bootc@bootc.net
Copyright (C) 2021-23 Russell M. Van Tassell russell@geekoncall.net
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.