Package: nagios-nrpe-server Severity: normal Version: 2.0-7 Tags: patch Hi,
The nrpe server and the check_nrpe client program both want to randomize unused parts of the data packets that they exchange. Whether this is any good is a different issue at all, but the way they do it is read one byte from dev/urandom and use that to seed libc's RNG. For one thing, picking value between 0 and 255 does not really give much randomness, but secondly, if you can live with rand()'s output, why even bother to seed it with real hard randomness? The disadvantage of reading from /dev/urandom is that even a small read severly reduces the amount of entropy that the linux kernel thinks it has, which makes reading from /dev/random slower for everybody else. Please apply my patch that removes the reading from /dev/urandom completely, or if you or upstream really disagree, at least make it optional (second patch). Additionally both patches add some documentation about --no-ssl, --help, and --license to the --help outputs of both nrpe-server and check_nrpe. Thanks, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c nagios-nrpe-weasel2/nagios-nrpe-2.0/src/check_nrpe.c --- nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c 2003-09-09 04:52:37.000000000 +0200 +++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/check_nrpe.c 2005-10-11 22:00:59.454563455 +0200 @@ -82,7 +82,7 @@ if(result!=OK || show_help==TRUE){ - printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]\n"); + printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>] [--no-ssl] [--help] [--license]\n"); printf("\n"); printf("Options:\n"); printf(" <host> = The address of the host running the NRPE daemon\n"); @@ -92,6 +92,9 @@ printf(" [arglist] = Optional arguments that should be passed to the command. Multiple\n"); printf(" arguments should be separated by a space. If provided, this must be\n"); printf(" the last option supplied on the command line.\n"); + printf(" -h, --help Print this short help.\n"); + printf(" -l,--license Print licensing information.\n"); + printf(" -n,--no-ssl Do not initial an ssl handshake with the server, talk in plaintext.\n"); printf("\n"); printf("Note:\n"); printf("This plugin requires that you have the NRPE daemon running on the remote host.\n"); diff -ur nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c nagios-nrpe-weasel2/nagios-nrpe-2.0/src/nrpe.c --- nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c 2003-09-09 04:52:37.000000000 +0200 +++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/nrpe.c 2005-10-11 22:00:59.466563352 +0200 @@ -120,13 +120,16 @@ else if(result!=OK || show_help==TRUE){ - printf("Usage: nrpe -c <config_file> <mode>\n"); + printf("Usage: nrpe -c <config_file> <mode> [--help] [--license] [--no-ssl]\n"); printf("\n"); printf("Options:\n"); printf(" <config_file> = Name of config file to use\n"); - printf(" <mode> = One of the following two operating modes:\n"); - printf(" -i = Run as a service under inetd or xinetd\n"); - printf(" -d = Run as a standalone daemon\n"); + printf(" <mode> = One of the following two operating modes:\n"); + printf(" -i, --inetd Run as a service under inetd or xinetd\n"); + printf(" -d, --daemon Run as a standalone daemon\n"); + printf(" -h, --help Print this short help.\n"); + printf(" -l, --license Print licensing information.\n"); + printf(" -n, --no-ssl Do not initial an ssl handshake with the server, talk in plaintext.\n"); printf("\n"); printf("Notes:\n"); printf("This program is designed to process requests from the check_nrpe\n"); diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.c nagios-nrpe-weasel2/nagios-nrpe-2.0/src/utils.c --- nagios-nrpe/nagios-nrpe-2.0/src/utils.c 2003-06-14 03:29:28.000000000 +0200 +++ nagios-nrpe-weasel2/nagios-nrpe-2.0/src/utils.c 2005-10-11 22:01:36.330247095 +0200 @@ -90,17 +90,7 @@ ends and the rest of the buffer (padded randomly) starts. ***************************************************************/ - /* try to get seed value from /dev/urandom, as its a better source of entropy */ - fp=fopen("/dev/urandom","r"); - if(fp!=NULL){ - seed=fgetc(fp); - fclose(fp); - } - - /* else fallback to using the current time as the seed */ - else - seed=(int)time(NULL); - + seed=(int)time(NULL)*311-getpid()*359+getppid()*383; srand(seed); for(x=0;x<buffer_size;x++) buffer[x]=(int)'0'+(int)(72.0*rand()/(RAND_MAX+1.0));
diff -ur nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c nagios-nrpe-weasel/nagios-nrpe-2.0/src/check_nrpe.c --- nagios-nrpe/nagios-nrpe-2.0/src/check_nrpe.c 2003-09-09 04:52:37.000000000 +0200 +++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/check_nrpe.c 2005-10-11 17:10:32.940437159 +0200 @@ -44,6 +44,7 @@ #else int use_ssl=FALSE; #endif +int use_dev_random=TRUE; int process_arguments(int,char **); @@ -82,7 +83,7 @@ if(result!=OK || show_help==TRUE){ - printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]\n"); + printf("Usage: check_nrpe -H <host> [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>] [--no-ssl] [--no-dev-random] [--help] [--license]\n"); printf("\n"); printf("Options:\n"); printf(" <host> = The address of the host running the NRPE daemon\n"); @@ -92,6 +93,11 @@ printf(" [arglist] = Optional arguments that should be passed to the command. Multiple\n"); printf(" arguments should be separated by a space. If provided, this must be\n"); printf(" the last option supplied on the command line.\n"); + printf(" -h, --help Print this short help.\n"); + printf(" -l,--license Print licensing information.\n"); + printf(" -n,--no-ssl Do not initial an ssl handshake with the server, talk in plaintext.\n"); + printf(" -R,--no-dev-random Do not use /dev/urandom to seed libc's RNG. This saves a lot\n"); + printf(" of entropy if you use nrpe quite a bit.\n"); printf("\n"); printf("Note:\n"); printf("This plugin requires that you have the NRPE daemon running on the remote host.\n"); @@ -179,7 +185,7 @@ bzero(&send_packet,sizeof(send_packet)); /* fill the packet with semi-random data */ - randomize_buffer((char *)&send_packet,sizeof(send_packet)); + randomize_buffer((char *)&send_packet,sizeof(send_packet), use_dev_random); /* initialize packet data */ send_packet.packet_version=(int16_t)htons(NRPE_PACKET_VERSION_2); @@ -319,6 +325,7 @@ {"port", required_argument, 0, 'p'}, {"help", no_argument, 0, 'h'}, {"license", no_argument, 0, 'l'}, + {"no-dev-random", no_argument, 0, 'R'}, {0, 0, 0, 0} }; #endif @@ -373,6 +380,9 @@ case 'n': use_ssl=FALSE; break; + case 'R': + use_dev_random=FALSE; + break; default: return ERROR; break; diff -ur nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c nagios-nrpe-weasel/nagios-nrpe-2.0/src/nrpe.c --- nagios-nrpe/nagios-nrpe-2.0/src/nrpe.c 2003-09-09 04:52:37.000000000 +0200 +++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/nrpe.c 2005-10-11 17:12:13.187673721 +0200 @@ -73,6 +73,7 @@ int show_version=FALSE; int use_inetd=TRUE; int debug=FALSE; +int use_dev_random=TRUE; #ifdef HAVE_SSL SSL_METHOD *meth; @@ -120,13 +121,18 @@ else if(result!=OK || show_help==TRUE){ - printf("Usage: nrpe -c <config_file> <mode>\n"); + printf("Usage: nrpe -c <config_file> <mode> [--help] [--license] [--no-ssl] [--no-dev-random]\n"); printf("\n"); printf("Options:\n"); printf(" <config_file> = Name of config file to use\n"); - printf(" <mode> = One of the following two operating modes:\n"); - printf(" -i = Run as a service under inetd or xinetd\n"); - printf(" -d = Run as a standalone daemon\n"); + printf(" <mode> = One of the following two operating modes:\n"); + printf(" -i, --inetd Run as a service under inetd or xinetd\n"); + printf(" -d, --daemon Run as a standalone daemon\n"); + printf(" -h, --help Print this short help.\n"); + printf(" -l, --license Print licensing information.\n"); + printf(" -n, --no-ssl Do not initial an ssl handshake with the server, talk in plaintext.\n"); + printf(" -R, --no-dev-random Do not use /dev/urandom to seed libc's RNG. This saves a lot\n"); + printf(" of entropy if you use nrpe quite a bit.\n"); printf("\n"); printf("Notes:\n"); printf("This program is designed to process requests from the check_nrpe\n"); @@ -900,7 +906,7 @@ bzero(&send_packet,sizeof(send_packet)); /* fill the packet with semi-random data */ - randomize_buffer((char *)&send_packet,sizeof(send_packet)); + randomize_buffer((char *)&send_packet,sizeof(send_packet), use_dev_random); /* initialize response packet data */ send_packet.packet_version=(int16_t)htons(NRPE_PACKET_VERSION_2); @@ -1446,6 +1452,7 @@ {"no-ssl", no_argument, 0, 'n'}, {"help", no_argument, 0, 'h'}, {"license", no_argument, 0, 'l'}, + {"no-dev-random", no_argument, 0, 'R'}, {0, 0, 0, 0} }; #endif @@ -1493,6 +1500,9 @@ case 'n': use_ssl=FALSE; break; + case 'R': + use_dev_random=FALSE; + break; default: return ERROR; break; diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.c nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.c --- nagios-nrpe/nagios-nrpe-2.0/src/utils.c 2003-06-14 03:29:28.000000000 +0200 +++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.c 2005-10-11 21:49:12.392662473 +0200 @@ -75,7 +75,7 @@ /* fill a buffer with semi-random data */ -void randomize_buffer(char *buffer,int buffer_size){ +void randomize_buffer(char *buffer,int buffer_size,int use_dev_random){ FILE *fp; int x; int seed; @@ -91,17 +91,16 @@ ***************************************************************/ /* try to get seed value from /dev/urandom, as its a better source of entropy */ - fp=fopen("/dev/urandom","r"); - if(fp!=NULL){ + if (use_dev_random && (fp=fopen("/dev/urandom","r"))) { seed=fgetc(fp); fclose(fp); - } + } /* else fallback to using the current time as the seed */ else - seed=(int)time(NULL); - + seed=(int)time(NULL)*311-getpid()*359+getppid()*383; srand(seed); + for(x=0;x<buffer_size;x++) buffer[x]=(int)'0'+(int)(72.0*rand()/(RAND_MAX+1.0)); diff -ur nagios-nrpe/nagios-nrpe-2.0/src/utils.h nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.h --- nagios-nrpe/nagios-nrpe-2.0/src/utils.h 2003-06-05 01:07:50.000000000 +0200 +++ nagios-nrpe-weasel/nagios-nrpe-2.0/src/utils.h 2005-10-11 16:53:21.556209341 +0200 @@ -38,7 +38,7 @@ void generate_crc32_table(void); unsigned long calculate_crc32(char *, int); -void randomize_buffer(char *,int); +void randomize_buffer(char *,int,int); int my_tcp_connect(char *,int,int *); int my_connect(char *,int,int *,char *);