Details

      Description

      An encrypted communication between zabbix-server and agent would be great.

      I understand that I could use external tunneling (ssh, stunnel ), but it is not so straightforward solution. Builtint support would be far better.

      Thx
      Graum

      edit (richlv) : encryption should be supported by all components :

      server (also node-node);
      proxy
      agent
      zabbix_get
      zabbix_sender
      java proxy

      note that this issue only deals with pre-shared key support. additional issues :

      ZBXNEXT-1263 - ssl
      ZBXNEXT-1264 - kerberos

        Issue Links

          Activity

          Hide
          Szep csaba added a comment -

          Hello!

          Is there any plan to implement this feature?

          This feature was in 1.6 roadmap, but if i right remember it postponed to later release, but 1.8 is in feature freeze now and i not see it.

          Sorry for the noise...

          thx
          Graum

          Show
          Szep csaba added a comment - Hello! Is there any plan to implement this feature? This feature was in 1.6 roadmap, but if i right remember it postponed to later release, but 1.8 is in feature freeze now and i not see it. Sorry for the noise... thx Graum
          Hide
          richlv added a comment -

          this is a desirable feature, but unfortunately it won't be available in 1.8.
          vote on it and get others to vote

          Show
          richlv added a comment - this is a desirable feature, but unfortunately it won't be available in 1.8. vote on it and get others to vote
          Hide
          Endre Szabo added a comment -

          Well, the big shot if not the encryption itself. The main problem is with the authenticity of the agent communication. I suggest to use a lot simpler CRAM/HMAC md5/sha1/etc authentication that makes sure that the received agent message is in the case if implementing a complete SSL layer would take a lot time and work. In lot of cases using (thus implementing) SSL over a pre-existed VPN is a complete waste of time and money. So I vote for simple authentication first!

          Show
          Endre Szabo added a comment - Well, the big shot if not the encryption itself. The main problem is with the authenticity of the agent communication. I suggest to use a lot simpler CRAM/HMAC md5/sha1/etc authentication that makes sure that the received agent message is in the case if implementing a complete SSL layer would take a lot time and work. In lot of cases using (thus implementing) SSL over a pre-existed VPN is a complete waste of time and money. So I vote for simple authentication first!
          Hide
          Baskakov Alexey added a comment -

          It would be great to have native SSL/TLS communication option between Zabbix agent and server.

          Show
          Baskakov Alexey added a comment - It would be great to have native SSL/TLS communication option between Zabbix agent and server.
          Hide
          Andreas Calvo added a comment -

          As said, even simple authentification would be great!

          Show
          Andreas Calvo added a comment - As said, even simple authentification would be great!
          Hide
          richlv added a comment -

          similar to ZBXNEXT-571 (authentication)

          Show
          richlv added a comment - similar to ZBXNEXT-571 (authentication)
          Hide
          Walter Heck added a comment -
          Show
          Walter Heck added a comment - Related discussion on the forum: http://www.zabbix.com/forum/showthread.php?t=20403&page=2
          Hide
          Pavel Stros added a comment -

          I agree that even simple authentification based on a hash utilizing timestamp and shared secret would be great.

          Show
          Pavel Stros added a comment - I agree that even simple authentification based on a hash utilizing timestamp and shared secret would be great.
          Hide
          Walter Heck added a comment -

          We're working on this as a community contribution. I created a page on zabbix.org for it here: http://zabbix.org/wiki/Active_agent_authentication

          Show
          Walter Heck added a comment - We're working on this as a community contribution. I created a page on zabbix.org for it here: http://zabbix.org/wiki/Active_agent_authentication
          Hide
          Jens Neuhalfen added a comment - - edited

          FYI: Lacking authentication ist the one and only reason, why I cannot use zabbix in my company (or any other company that has any security standards).

          Besides the actual risk of messing up with the collected data (not to speak of code execution on the agent), a major problem is politics: If anything happens with zabbix, the person responsible for zabbix is going to have a hard time defending against "well, actually anybody with access to our network has read/write access to our data (and can potentially execute commands on the agents). Ignoring such a basic thing as authenticated communication links implies that security is not that important to the project."

          Show
          Jens Neuhalfen added a comment - - edited FYI: Lacking authentication ist the one and only reason, why I cannot use zabbix in my company (or any other company that has any security standards). Besides the actual risk of messing up with the collected data (not to speak of code execution on the agent), a major problem is politics: If anything happens with zabbix, the person responsible for zabbix is going to have a hard time defending against "well, actually anybody with access to our network has read/write access to our data (and can potentially execute commands on the agents). Ignoring such a basic thing as authenticated communication links implies that security is not that important to the project."
          Hide
          Walter Heck added a comment -

          Jens: get in touch with me at walter@tribily.com if you are interested in working on this. We have a group of zabbix users and companies who are working together on getting this fixed and implemented.

          Show
          Walter Heck added a comment - Jens: get in touch with me at walter@tribily.com if you are interested in working on this. We have a group of zabbix users and companies who are working together on getting this fixed and implemented.
          Hide
          Marc Schoechlin added a comment -

          Encryption is really important - without encryption it is a bit unprofessional to:

          • put zabbix-proxies offsite to monitor infrastructure from areas outsite the corporate network
          • to perform automatic actions like restarting services
          • to create items which have access to sensible data
          Show
          Marc Schoechlin added a comment - Encryption is really important - without encryption it is a bit unprofessional to: put zabbix-proxies offsite to monitor infrastructure from areas outsite the corporate network to perform automatic actions like restarting services to create items which have access to sensible data
          Hide
          Walter Heck added a comment -

          A frist version is ready, please see the forum post at http://www.zabbix.com/forum/showthread.php?t=20403 for more info.

          Show
          Walter Heck added a comment - A frist version is ready, please see the forum post at http://www.zabbix.com/forum/showthread.php?t=20403 for more info.
          Hide
          Noah Leaman added a comment - - edited

          I cannot understate how critical encryption (and auth) is for us to actually implement Zabbix in our environment. I'm more curious why such a feature is apparently not important enough to even be on a roadmap.

          Here is the "gotcha" for any business looking to enlist Zabbix SIA consulting/development services: Without a messaging/transport security requirement being met first, having to justify costs for any consulting services is a very, very tough sell. Anyway it's pitched, it sounds like the business will have to pay development costs in order to just meet that requirement. But why would they get that far in the process if that requirement isn't met to begin with.

          Show
          Noah Leaman added a comment - - edited I cannot understate how critical encryption (and auth) is for us to actually implement Zabbix in our environment. I'm more curious why such a feature is apparently not important enough to even be on a roadmap. Here is the "gotcha" for any business looking to enlist Zabbix SIA consulting/development services: Without a messaging/transport security requirement being met first, having to justify costs for any consulting services is a very, very tough sell. Anyway it's pitched, it sounds like the business will have to pay development costs in order to just meet that requirement. But why would they get that far in the process if that requirement isn't met to begin with.
          Hide
          Michael Goodman added a comment -

          Noah – completely agreed. Any regulated environment (FISMA, SOX, HIPAA, etc.) requires this feature. And regulatory compliance is really the only thing fueling any purchase.

          The lack of encryption limits the usefulness of this product to LAN environments, and further limits product functionality (e.g. having zabbix perform any automated action in response to an event).

          This should be on the road map, and fairly high up there too.

          For now, all zabbix traffic has to be tunneled, which makes administration and implementation a nightmare.

          Show
          Michael Goodman added a comment - Noah – completely agreed. Any regulated environment (FISMA, SOX, HIPAA, etc.) requires this feature. And regulatory compliance is really the only thing fueling any purchase. The lack of encryption limits the usefulness of this product to LAN environments, and further limits product functionality (e.g. having zabbix perform any automated action in response to an event). This should be on the road map, and fairly high up there too. For now, all zabbix traffic has to be tunneled, which makes administration and implementation a nightmare.
          Hide
          Walter Heck added a comment -

          We're in final testing stages for the authentication stuff. I apologise for moving slowly, but noone seems to be interested in helping us out (even though a lot of people want this feature) and I'm only a small self-funded startup. More information here: http://zabbix.org/wiki/Active_agent_authentication

          We could still very much use help, either in testing or code reviewing. Some monetary help will be very much appreciated as well, I've personally invested quite a bit of money in this.

          Show
          Walter Heck added a comment - We're in final testing stages for the authentication stuff. I apologise for moving slowly, but noone seems to be interested in helping us out (even though a lot of people want this feature) and I'm only a small self-funded startup. More information here: http://zabbix.org/wiki/Active_agent_authentication We could still very much use help, either in testing or code reviewing. Some monetary help will be very much appreciated as well, I've personally invested quite a bit of money in this.
          Hide
          Airone added a comment -

          I agree that is fundamentals to have communication encrypted between agent, server and proxy.
          I'll wait this feature to implement in my company, HP Operation Manager costs a lot of money but crypt the communcation channel and can be used in a big enterprise where the security is the first step to have professional products.

          Show
          Airone added a comment - I agree that is fundamentals to have communication encrypted between agent, server and proxy. I'll wait this feature to implement in my company, HP Operation Manager costs a lot of money but crypt the communcation channel and can be used in a big enterprise where the security is the first step to have professional products.
          Hide
          Walter Heck added a comment -

          So, if it is that important for you, how about supporting my effort with some finances? I'm just a self-funded startup who's paying dearly out of his own pocket to get this implemented.
          We could even use a few hundred bucks to speed up development and testing of our code. I see a lot of people here saying they 'absolutely' need this feature, but nooone who is willing to put their money where their mouth is. Slightly disappointing if it could benefit so many.

          Show
          Walter Heck added a comment - So, if it is that important for you, how about supporting my effort with some finances? I'm just a self-funded startup who's paying dearly out of his own pocket to get this implemented. We could even use a few hundred bucks to speed up development and testing of our code. I see a lot of people here saying they 'absolutely' need this feature, but nooone who is willing to put their money where their mouth is. Slightly disappointing if it could benefit so many.
          Hide
          Airone added a comment -

          Sorry I'm not able to support with finances this project. I' ll continue with HP products.

          Show
          Airone added a comment - Sorry I'm not able to support with finances this project. I' ll continue with HP products.
          Hide
          Raymond Kuiper added a comment -

          @Walter, I'm a private person and currently just a fan of Zabbix (nothing work related atm) so I won't be able to spend big on this. However, If you can open up a kickstarter or something like that (paypal donations, perhaps?), I'll chip in a few coins.
          Advertise it on the forum like that, and maybe more people will chip in with (small) amounts of cash, thus enabling more testing?
          If I can make it to the conf this year, I'll also buy you a beer for the effort

          @Airone, You said yourself HP was overly expensive. Why not spend that money on getting this blocking issue out of the way and enjoy the excellent opensource software Zabbix is? It needs a community effort to get all the bits and pieces we want integrated into it, IMHO you hold the cards in your own hand.

          Show
          Raymond Kuiper added a comment - @Walter, I'm a private person and currently just a fan of Zabbix (nothing work related atm) so I won't be able to spend big on this. However, If you can open up a kickstarter or something like that (paypal donations, perhaps?), I'll chip in a few coins. Advertise it on the forum like that, and maybe more people will chip in with (small) amounts of cash, thus enabling more testing? If I can make it to the conf this year, I'll also buy you a beer for the effort @Airone, You said yourself HP was overly expensive. Why not spend that money on getting this blocking issue out of the way and enjoy the excellent opensource software Zabbix is? It needs a community effort to get all the bits and pieces we want integrated into it, IMHO you hold the cards in your own hand.
          Hide
          Airone added a comment -

          @qix, I know that, but in big enterprise you need to have a company as HP that solve problem asap.
          Look here we are blocked after 3 year on this request without have a roadmap.
          However isn't possibile move cash to solve blocking issue in my company, but I will pay a beer to effort Walter with a donation

          Show
          Airone added a comment - @qix, I know that, but in big enterprise you need to have a company as HP that solve problem asap. Look here we are blocked after 3 year on this request without have a roadmap. However isn't possibile move cash to solve blocking issue in my company, but I will pay a beer to effort Walter with a donation
          Hide
          Walter Heck added a comment -

          @qix: won't make it to the conf this year unfortunately, but i'll take you up on that beer at some point

          @Airone: well, if someone with an actual budget was to support this effort, I could finish it in the next month. The single reason this is dragging on forever is there's no support from anyone.

          On a more technical note: I just received a message from my programmer, and we're facing a design choice: We have implemented authentication for active checks (they are initiated by the client). But what about passive checks? Currently we can go as far as not to have the server do passive checks for a client that failed auth in a previous active check. But there is no good model for only passive check agents. Personally I'm inclined to take a shortcut and not support that for now, since I only have active checks anyway. But the perfectionist in me wants to do this properly. Ideas are welcome..

          Show
          Walter Heck added a comment - @qix: won't make it to the conf this year unfortunately, but i'll take you up on that beer at some point @Airone: well, if someone with an actual budget was to support this effort, I could finish it in the next month. The single reason this is dragging on forever is there's no support from anyone. On a more technical note: I just received a message from my programmer, and we're facing a design choice: We have implemented authentication for active checks (they are initiated by the client). But what about passive checks? Currently we can go as far as not to have the server do passive checks for a client that failed auth in a previous active check. But there is no good model for only passive check agents. Personally I'm inclined to take a shortcut and not support that for now, since I only have active checks anyway. But the perfectionist in me wants to do this properly. Ideas are welcome..
          Hide
          richlv added a comment -

          this issue never specified the method, so i'll designate it as a pre-shared key one, and split out ssl and kerberos :

          ZBXNEXT-1263 - ssl
          ZBXNEXT-1264 - kerberos

          Show
          richlv added a comment - this issue never specified the method, so i'll designate it as a pre-shared key one, and split out ssl and kerberos : ZBXNEXT-1263 - ssl ZBXNEXT-1264 - kerberos
          Hide
          Walter Heck added a comment -

          We finished our patch, now we need to get it back into zabbix. It's written against trunk, so it should be easy enough. We have done quite a bit of testing with an official tester and are quite confident about this. Feel free to give it a spin and tell us what you think: http://zabbix.org/wiki/Active_agent_authentication

          Show
          Walter Heck added a comment - We finished our patch, now we need to get it back into zabbix. It's written against trunk, so it should be easy enough. We have done quite a bit of testing with an official tester and are quite confident about this. Feel free to give it a spin and tell us what you think: http://zabbix.org/wiki/Active_agent_authentication
          Hide
          Allen Chan added a comment -

          The company i work at is exploring PCI certification. This feature would go a long ways towards that.

          Show
          Allen Chan added a comment - The company i work at is exploring PCI certification. This feature would go a long ways towards that.
          Hide
          Alexander J Sluiter added a comment -

          @Walter I too would love to see transport encryption and authentication between agents/servers. What needs to happen to get this feature into v2.x. I'm willing to pay for development if necessary.

          Show
          Alexander J Sluiter added a comment - @Walter I too would love to see transport encryption and authentication between agents/servers. What needs to happen to get this feature into v2.x. I'm willing to pay for development if necessary.
          Hide
          richlv added a comment -

          for financing any feature or improvement for zabbix the best option is to contact sales@zabbix.com

          Show
          richlv added a comment - for financing any feature or improvement for zabbix the best option is to contact sales@zabbix.com
          Hide
          Sébastien added a comment - - edited

          Thanks for your work Walter !

          Show
          Sébastien added a comment - - edited Thanks for your work Walter !
          Hide
          Gareth Brown added a comment - - edited

          Bump! Is there any plan to get this into a release yet? With public cloud environments used more and more. Especially with auto-registration (and de-register) of hosts in AWS for example, without this feature there is some clear and inherent risks involved.

          Show
          Gareth Brown added a comment - - edited Bump! Is there any plan to get this into a release yet? With public cloud environments used more and more. Especially with auto-registration (and de-register ) of hosts in AWS for example, without this feature there is some clear and inherent risks involved.
          Hide
          richlv added a comment - - edited

          this is not on the roadmap at this time. seems to be setting on this list without any noticeable progress : http://www.zabbix.com/development_services.php#active_projects

          Show
          richlv added a comment - - edited this is not on the roadmap at this time. seems to be setting on this list without any noticeable progress : http://www.zabbix.com/development_services.php#active_projects
          Hide
          Stefan Krüger added a comment -

          yes.. one of the most voted feature request, and you said you must paid for, we will fixed/add only things that are lower rated.. nice..

          Show
          Stefan Krüger added a comment - yes.. one of the most voted feature request, and you said you must paid for, we will fixed/add only things that are lower rated.. nice..
          Hide
          Sergey Syreskin added a comment -

          Stefan, do you want Zabbix team work for free? Do you work for free? If your company needs this feature, you could talk to your boss, he would possibly allocate budget for funding the development of this feature. For years https://support.zabbix.com/browse/ZBXNEXT-1 was the most voted feature request and now it is in Zabbix 2.2. There will always be the most wanted feature until it is implemented.

          Show
          Sergey Syreskin added a comment - Stefan, do you want Zabbix team work for free? Do you work for free? If your company needs this feature, you could talk to your boss, he would possibly allocate budget for funding the development of this feature. For years https://support.zabbix.com/browse/ZBXNEXT-1 was the most voted feature request and now it is in Zabbix 2.2. There will always be the most wanted feature until it is implemented.
          Hide
          richlv added a comment -

          we appreciate discussions, but let's have them on forums or irc
          (having said that i'd like to note that zbxnext-1 was not financed by any company, it was implemented only because it was the highest-voted feature request at the time)

          Show
          richlv added a comment - we appreciate discussions, but let's have them on forums or irc (having said that i'd like to note that zbxnext-1 was not financed by any company, it was implemented only because it was the highest-voted feature request at the time)
          Hide
          Raymond Kuiper added a comment -

          Please have a look at ZBXNEXT-2308. Implementing MQTT as a transport protocol will solve this problem and bring some other interesting functionality to Zabbix as well.

          Show
          Raymond Kuiper added a comment - Please have a look at ZBXNEXT-2308 . Implementing MQTT as a transport protocol will solve this problem and bring some other interesting functionality to Zabbix as well.
          Hide
          Andris Mednis added a comment -

          Raymond - you mean - rearchitect Zabbix for using message-queues in server/proxy/agent communications and find an MQTT library with built-in TLS support ?

          Show
          Andris Mednis added a comment - Raymond - you mean - rearchitect Zabbix for using message-queues in server/proxy/agent communications and find an MQTT library with built-in TLS support ?
          Hide
          Rafael Gomes added a comment -

          Reading this page[1], I got this:

          "Does MQTT support security?
          You can pass a user name and password with an MQTT packet in V3.1 of the protocol. Encryption across the network can be handled with SSL, independently of the MQTT protocol itself (it is worth noting that SSL is not the lightest of protocols, and does add significant network overhead). Additional security can be added by an application encrypting data that it sends and receives, but this is not something built-in to the protocol, in order to keep it simple and lightweight."

          [1] - http://mqtt.org/faq

          Show
          Rafael Gomes added a comment - Reading this page [1] , I got this: "Does MQTT support security? You can pass a user name and password with an MQTT packet in V3.1 of the protocol. Encryption across the network can be handled with SSL, independently of the MQTT protocol itself (it is worth noting that SSL is not the lightest of protocols, and does add significant network overhead). Additional security can be added by an application encrypting data that it sends and receives, but this is not something built-in to the protocol, in order to keep it simple and lightweight." [1] - http://mqtt.org/faq
          Hide
          richlv added a comment -

          note that currently ZBXNEXT-1263 is planned to implement psk, too

          Show
          richlv added a comment - note that currently ZBXNEXT-1263 is planned to implement psk, too
          Hide
          Alexei Vladishev added a comment -

          This functionality was implemented in Zabbix 3.0.0 under ZBXNEXT-1263. Closing.

          Show
          Alexei Vladishev added a comment - This functionality was implemented in Zabbix 3.0.0 under ZBXNEXT-1263 . Closing.
          Hide
          Aleksandrs Saveljevs added a comment -

          Reopening to set a resolution other than "Won't fix"...

          Show
          Aleksandrs Saveljevs added a comment - Reopening to set a resolution other than "Won't fix"...
          Hide
          Aleksandrs Saveljevs added a comment -

          A duplicate of ZBXNEXT-1263 seems to be a bit more appropriate.

          Show
          Aleksandrs Saveljevs added a comment - A duplicate of ZBXNEXT-1263 seems to be a bit more appropriate.

            People

            • Assignee:
              Unassigned
              Reporter:
              Szep csaba
            • Votes:
              113 Vote for this issue
              Watchers:
              64 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: