Package: nagios-nrpe-server
Severity: normal
Version: 2.0-7
Tags: patch
Hi,
The nrpe server and the check_nrpe client program both want to randomize
unused parts of the data packets that they exchange.
Whether this is any good is a different issue at all, but the way they
do it is read one byte from dev/urandom and use that to seed libc's RNG.
For one thing, picking value between 0 and 255 does not really give much
randomness, but secondly, if you can live with rand()'s output, why even
bother to seed it with real hard randomness?
The disadvantage of reading from /dev/urandom is that even a small read
severly reduces the amount of entropy that the linux kernel thinks it
has, which makes reading from /dev/random slower for everybody else.
Please apply my patch that removes the reading from /dev/urandom
completely, or if you or upstream really disagree, at least make it
optional (second patch).
Additionally both patches add some documentation about --no-ssl, --help,
and --license to the --help outputs of both nrpe-server and check_nrpe.
Thanks,
Peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `- http://www.debian.org/
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c
nagios-nrpe-weasel2/nagios-nrpe-2.0/src/check_nrpe.c
--- nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c 2003-09-09
04:52:37.000000000 +0200
+++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/check_nrpe.c 2005-10-11
22:00:59.454563455 +0200
@@ -82,7 +82,7 @@
if(result!=OK || show_help==TRUE){
- printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>]
[-c <command>] [-a <arglist...>]\n");
+ printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>]
[-c <command>] [-a <arglist...>] [--no-ssl] [--help] [--license]\n");
printf("\n");
printf("Options:\n");
printf(" <host> = The address of the host running the NRPE
daemon\n");
@@ -92,6 +92,9 @@
printf(" [arglist] = Optional arguments that should be passed
to the command. Multiple\n");
printf(" arguments should be separated by a space.
If provided, this must be\n");
printf(" the last option supplied on the command
line.\n");
+ printf(" -h, --help Print this short help.\n");
+ printf(" -l,--license Print licensing information.\n");
+ printf(" -n,--no-ssl Do not initial an ssl handshake with the
server, talk in plaintext.\n");
printf("\n");
printf("Note:\n");
printf("This plugin requires that you have the NRPE daemon
running on the remote host.\n");
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c
nagios-nrpe-weasel2/nagios-nrpe-2.0/src/nrpe.c
--- nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c 2003-09-09 04:52:37.000000000
+0200
+++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/nrpe.c 2005-10-11
22:00:59.466563352 +0200
@@ -120,13 +120,16 @@
else if(result!=OK || show_help==TRUE){
- printf("Usage: nrpe -c <config_file> <mode>\n");
+ printf("Usage: nrpe -c <config_file> <mode> [--help]
[--license] [--no-ssl]\n");
printf("\n");
printf("Options:\n");
printf(" <config_file> = Name of config file to use\n");
- printf(" <mode> = One of the following two operating
modes:\n");
- printf(" -i = Run as a service under inetd or
xinetd\n");
- printf(" -d = Run as a standalone daemon\n");
+ printf(" <mode> = One of the following two operating
modes:\n");
+ printf(" -i, --inetd Run as a service under inetd or
xinetd\n");
+ printf(" -d, --daemon Run as a standalone daemon\n");
+ printf(" -h, --help Print this short help.\n");
+ printf(" -l, --license Print licensing information.\n");
+ printf(" -n, --no-ssl Do not initial an ssl handshake
with the server, talk in plaintext.\n");
printf("\n");
printf("Notes:\n");
printf("This program is designed to process requests from the
check_nrpe\n");
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.c
nagios-nrpe-weasel2/nagios-nrpe-2.0/src/utils.c
--- nagios-nrpe/nagios-nrpe-2.0/src/utils.c 2003-06-14 03:29:28.000000000
+0200
+++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/utils.c 2005-10-11
22:01:36.330247095 +0200
@@ -90,17 +90,7 @@
ends and the rest of the buffer (padded randomly) starts.
***************************************************************/
- /* try to get seed value from /dev/urandom, as its a better source of
entropy */
- fp=fopen("/dev/urandom","r");
- if(fp!=NULL){
- seed=fgetc(fp);
- fclose(fp);
- }
-
- /* else fallback to using the current time as the seed */
- else
- seed=(int)time(NULL);
-
+ seed=(int)time(NULL)*311-getpid()*359+getppid()*383;
srand(seed);
for(x=0;x<buffer_size;x++)
buffer[x]=(int)'0'+(int)(72.0*rand()/(RAND_MAX+1.0));
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c
nagios-nrpe-weasel/nagios-nrpe-2.0/src/check_nrpe.c
--- nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c 2003-09-09
04:52:37.000000000 +0200
+++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/check_nrpe.c 2005-10-11
17:10:32.940437159 +0200
@@ -44,6 +44,7 @@
#else
int use_ssl=FALSE;
#endif
+int use_dev_random=TRUE;
int process_arguments(int,char **);
@@ -82,7 +83,7 @@
if(result!=OK || show_help==TRUE){
- printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>]
[-c <command>] [-a <arglist...>]\n");
+ printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>]
[-c <command>] [-a <arglist...>] [--no-ssl] [--no-dev-random] [--help]
[--license]\n");
printf("\n");
printf("Options:\n");
printf(" <host> = The address of the host running the NRPE
daemon\n");
@@ -92,6 +93,11 @@
printf(" [arglist] = Optional arguments that should be passed
to the command. Multiple\n");
printf(" arguments should be separated by a space.
If provided, this must be\n");
printf(" the last option supplied on the command
line.\n");
+ printf(" -h, --help Print this short help.\n");
+ printf(" -l,--license Print licensing information.\n");
+ printf(" -n,--no-ssl Do not initial an ssl handshake with the
server, talk in plaintext.\n");
+ printf(" -R,--no-dev-random Do not use /dev/urandom to seed
libc's RNG. This saves a lot\n");
+ printf(" of entropy if you use nrpe quite a
bit.\n");
printf("\n");
printf("Note:\n");
printf("This plugin requires that you have the NRPE daemon
running on the remote host.\n");
@@ -179,7 +185,7 @@
bzero(&send_packet,sizeof(send_packet));
/* fill the packet with semi-random data */
- randomize_buffer((char *)&send_packet,sizeof(send_packet));
+ randomize_buffer((char *)&send_packet,sizeof(send_packet),
use_dev_random);
/* initialize packet data */
send_packet.packet_version=(int16_t)htons(NRPE_PACKET_VERSION_2);
@@ -319,6 +325,7 @@
{"port", required_argument, 0, 'p'},
{"help", no_argument, 0, 'h'},
{"license", no_argument, 0, 'l'},
+ {"no-dev-random", no_argument, 0, 'R'},
{0, 0, 0, 0}
};
#endif
@@ -373,6 +380,9 @@
case 'n':
use_ssl=FALSE;
break;
+ case 'R':
+ use_dev_random=FALSE;
+ break;
default:
return ERROR;
break;
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c
nagios-nrpe-weasel/nagios-nrpe-2.0/src/nrpe.c
--- nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c 2003-09-09 04:52:37.000000000
+0200
+++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/nrpe.c 2005-10-11
17:12:13.187673721 +0200
@@ -73,6 +73,7 @@
int show_version=FALSE;
int use_inetd=TRUE;
int debug=FALSE;
+int use_dev_random=TRUE;
#ifdef HAVE_SSL
SSL_METHOD *meth;
@@ -120,13 +121,18 @@
else if(result!=OK || show_help==TRUE){
- printf("Usage: nrpe -c <config_file> <mode>\n");
+ printf("Usage: nrpe -c <config_file> <mode> [--help]
[--license] [--no-ssl] [--no-dev-random]\n");
printf("\n");
printf("Options:\n");
printf(" <config_file> = Name of config file to use\n");
- printf(" <mode> = One of the following two operating
modes:\n");
- printf(" -i = Run as a service under inetd or
xinetd\n");
- printf(" -d = Run as a standalone daemon\n");
+ printf(" <mode> = One of the following two operating
modes:\n");
+ printf(" -i, --inetd Run as a service under inetd or
xinetd\n");
+ printf(" -d, --daemon Run as a standalone daemon\n");
+ printf(" -h, --help Print this short help.\n");
+ printf(" -l, --license Print licensing information.\n");
+ printf(" -n, --no-ssl Do not initial an ssl handshake
with the server, talk in plaintext.\n");
+ printf(" -R, --no-dev-random Do not use /dev/urandom to seed
libc's RNG. This saves a lot\n");
+ printf(" of entropy if you use nrpe quite a
bit.\n");
printf("\n");
printf("Notes:\n");
printf("This program is designed to process requests from the
check_nrpe\n");
@@ -900,7 +906,7 @@
bzero(&send_packet,sizeof(send_packet));
/* fill the packet with semi-random data */
- randomize_buffer((char *)&send_packet,sizeof(send_packet));
+ randomize_buffer((char *)&send_packet,sizeof(send_packet),
use_dev_random);
/* initialize response packet data */
send_packet.packet_version=(int16_t)htons(NRPE_PACKET_VERSION_2);
@@ -1446,6 +1452,7 @@
{"no-ssl", no_argument, 0, 'n'},
{"help", no_argument, 0, 'h'},
{"license", no_argument, 0, 'l'},
+ {"no-dev-random", no_argument, 0, 'R'},
{0, 0, 0, 0}
};
#endif
@@ -1493,6 +1500,9 @@
case 'n':
use_ssl=FALSE;
break;
+ case 'R':
+ use_dev_random=FALSE;
+ break;
default:
return ERROR;
break;
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.c
nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.c
--- nagios-nrpe/nagios-nrpe-2.0/src/utils.c 2003-06-14 03:29:28.000000000
+0200
+++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.c 2005-10-11
21:49:12.392662473 +0200
@@ -75,7 +75,7 @@
/* fill a buffer with semi-random data */
-void randomize_buffer(char *buffer,int buffer_size){
+void randomize_buffer(char *buffer,int buffer_size,int use_dev_random){
FILE *fp;
int x;
int seed;
@@ -91,17 +91,16 @@
***************************************************************/
/* try to get seed value from /dev/urandom, as its a better source of
entropy */
- fp=fopen("/dev/urandom","r");
- if(fp!=NULL){
+ if (use_dev_random && (fp=fopen("/dev/urandom","r"))) {
seed=fgetc(fp);
fclose(fp);
- }
+ }
/* else fallback to using the current time as the seed */
else
- seed=(int)time(NULL);
-
+ seed=(int)time(NULL)*311-getpid()*359+getppid()*383;
srand(seed);
+
for(x=0;x<buffer_size;x++)
buffer[x]=(int)'0'+(int)(72.0*rand()/(RAND_MAX+1.0));
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.h
nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.h
--- nagios-nrpe/nagios-nrpe-2.0/src/utils.h 2003-06-05 01:07:50.000000000
+0200
+++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.h 2005-10-11
16:53:21.556209341 +0200
@@ -38,7 +38,7 @@
void generate_crc32_table(void);
unsigned long calculate_crc32(char *, int);
-void randomize_buffer(char *,int);
+void randomize_buffer(char *,int,int);
int my_tcp_connect(char *,int,int *);
int my_connect(char *,int,int *,char *);
