Nrpe, Blowfish encryption

Stephen Strudwick, Pipex Communications,01/13/04

Overview

Addition of Blowfish encryption to nrpe to provide an optional alternative layer of security because the SSL encryption does not have any authentication; it only stops people snooping on the data.

Blowfish encryption has been added to the latest nrpe cvs tree as a compile time option.

Authentication will be provided via a shared key, unique to each host.

While the IP access control and SSL is good enough for most people, I felt I needed to add the blowfish code because we will be installing nrpe on many hundreds of servers, some of which will be important customer dedicated servers, on public facing lans.

By adding an authentication/encryption scheme to the security it is one more step an attacker has to take to exploit the server.

We have to demonstrate to our customers we have taken every reasonable step to protect their servers. IP access control on its own I believe is exploitable, especially if a server on the same lan is exploited and the nrpe port is attacked from that server. We have seen similar such attacks in the past.

While this is very unlikley, and even more unlikley they could exploit the daemon with command line arguments disabled it is still a potential risk.

Usage

The patch

To apply the patch to the cvs tree do:

cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/nagios co nrpe
patch -p0 < blowfish_patch

Installing

When doing configure do:

./configure –enable-blowfish

Add the following line to the nrpe.cfg:

blowfish_secret=<secret>

And when calling check_nrpe do it like this:

./check_nrpe -H <host>-c <command> -s <secret>

Code changes

Changed Files

./configure.in

Added option –enable-blowfish, if selected it disables check_for_ssl. Also defines HAVE_BF.

Also added a check for floor in the math lib: AC_CHECK_LIB(m,floor,LDFLAGS="$LDFLAGS -lm")

./include/config.h.in

Added #undef HAVE_BF

./src/Makefile.in

Added new files.

./src/check_nrpe.c

All changes are within #ifdef HAVE_BF and closely mirror the SSL additions.

./src/nrpe.c

All changes are within #ifdef HAVE_BF and closely mirror the SSL additions. The exception is the key is initialised within handle_connection as memory is allocated here and it s therefore easier to cleanup.

New files

./include/blowfish.h ./src/blowfish.c

Original freeware blowfish code by Bruce Schneier.

./include/bf_crypt.h ./src/bf_crypt.c

A set of functions to make initialised and encrypting streams of data easier as the blowfish code will only encrypt 8 bytes at a time.

These functions when encrypting data will pad it out to multiple of 8.

./include/bf_utils.h ./src/bf_utils.c

Functions for socket use, blowfish equivalent of sendall, recvall etc.

Testing

The patch has been tested with these systems running in the following configurations:

On:

Purify Output (nrpe):


**** Purify instrumented ./nrpe (pid 17853, forked from pid 17850) ****

Purify: Searching for all memory leaks...

Memory leaked: 0 bytes (0%); potentially leaked: 0 bytes (0%)

Purify Heap Analysis (combining suppressed and unsuppressed blocks)
                         Blocks        Bytes
              Leaked          0            0
  Potentially Leaked          0            0
              In-Use         97        19146
  ----------------------------------------
     Total Allocated         97        19146

****  Purify instrumented ./nrpe (pid 17853, forked from pid 17850)  ****
  * Program exited with status code 0.
  * 0 access errors, 0 total occurrences.
  * 0 bytes leaked.
  * 0 bytes potentially leaked.

Purify Output (check_nrpe):


****  Purify instrumented ./check_nrpe (pid 17694)  ****
Purify: Searching for all memory leaks...
Memory leaked: 0 bytes (0%); potentially leaked: 0 bytes (0%)

Purify Heap Analysis (combining suppressed and unsuppressed blocks)
                         Blocks        Bytes
              Leaked          0            0
  Potentially Leaked          0            0
              In-Use         84         2093
  ----------------------------------------
     Total Allocated         84         2093
****  Purify instrumented ./check_nrpe (pid 17694)  ****
  * Program exited with status code 0.
  * 0 access errors, 0 total occurrences.
  * 0 bytes leaked.
  * 0 bytes potentially leaked.