I would like if you separated out the portions of the agent into a new process. (E.g. zabbix_exec, zabbix_agent_execd, or something..) This process would perform the following actions:

• Run scripts requested from server
• Process userparameters
• Remote execution
• SSH agent commands
• Basically anything else where the agent executes something provided by a custom command

This would gain large configuration flexibility and security benefits such as "Now being able to...":

• Filter access by host for this process (Firewall) <--- Critical!
• Change the listen port for these more dangerous types of agent commands
• Configure a different set of trusted IP's listed in the config to be allowed to run these more dangerous commands.
• Configure the daemon user separately for zabbix_agent and zabbix_exec
• Code greatly simplified in both the zabbix_agent and zabbix_sshd
• Configure separate sudo, apparmor, SElinux, etc for this process.
• Separate logging
• Tunnel this functionality over SSH/SSL very easily
• Etc..

As we don't have agent ssl or auth, this is IMO a critical security issue as well.

Splitting this code out to it's own daemon might even make it easier for you or someone else to implement server<->agent authentication and encryption.

Thanks for your time guys!