[ZBXNEXT-17] daemon communication encryption: psk Created: 2009 Jun 30  Updated: 2016 Feb 22  Resolved: 2016 Feb 22

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Agent (G), Proxy (P), Server (S)
Affects Version/s: None
Fix Version/s: None

Type: New Feature Request Priority: Major
Reporter: Szep csaba Assignee: Unassigned
Resolution: Duplicate Votes: 113
Labels: encryption, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBXNEXT-1263 daemon communication encryption: ssl Closed
is duplicated by ZBXNEXT-767 Encryption/Authentication for server... Closed

 Description   

An encrypted communication between zabbix-server and agent would be great.

I understand that I could use external tunneling (ssh, stunnel ), but it is not so straightforward solution. Builtint support would be far better.

Thx
Graum

edit (richlv) : encryption should be supported by all components :

server (also node-node);
proxy
agent
zabbix_get
zabbix_sender
java proxy

note that this issue only deals with pre-shared key support. additional issues :

ZBXNEXT-1263 - ssl
ZBXNEXT-1264 - kerberos



 Comments   
Comment by Szep csaba [ 2009 Dec 01 ]

Hello!

Is there any plan to implement this feature?

This feature was in 1.6 roadmap, but if i right remember it postponed to later release, but 1.8 is in feature freeze now and i not see it.

Sorry for the noise...

thx
Graum

Comment by richlv [ 2009 Dec 01 ]

this is a desirable feature, but unfortunately it won't be available in 1.8.
vote on it and get others to vote

Comment by Endre Szabo [ 2010 Apr 08 ]

Well, the big shot if not the encryption itself. The main problem is with the authenticity of the agent communication. I suggest to use a lot simpler CRAM/HMAC md5/sha1/etc authentication that makes sure that the received agent message is in the case if implementing a complete SSL layer would take a lot time and work. In lot of cases using (thus implementing) SSL over a pre-existed VPN is a complete waste of time and money. So I vote for simple authentication first!

Comment by Baskakov Alexey [ 2010 May 07 ]

It would be great to have native SSL/TLS communication option between Zabbix agent and server.

Comment by Andreas Calvo [ 2010 Oct 22 ]

As said, even simple authentification would be great!

Comment by richlv [ 2010 Nov 29 ]

similar to ZBXNEXT-571 (authentication)

Comment by Walter Heck [ 2011 Mar 11 ]

Related discussion on the forum: http://www.zabbix.com/forum/showthread.php?t=20403&page=2

Comment by Pavel Stros [ 2011 Jun 17 ]

I agree that even simple authentification based on a hash utilizing timestamp and shared secret would be great.

Comment by Walter Heck [ 2011 Aug 12 ]

We're working on this as a community contribution. I created a page on zabbix.org for it here: http://zabbix.org/wiki/Active_agent_authentication

Comment by Jens Neuhalfen [ 2011 Nov 01 ]

FYI: Lacking authentication ist the one and only reason, why I cannot use zabbix in my company (or any other company that has any security standards).

Besides the actual risk of messing up with the collected data (not to speak of code execution on the agent), a major problem is politics: If anything happens with zabbix, the person responsible for zabbix is going to have a hard time defending against "well, actually anybody with access to our network has read/write access to our data (and can potentially execute commands on the agents). Ignoring such a basic thing as authenticated communication links implies that security is not that important to the project."

Comment by Walter Heck [ 2011 Nov 01 ]

Jens: get in touch with me at [email protected] if you are interested in working on this. We have a group of zabbix users and companies who are working together on getting this fixed and implemented.

Comment by Marc Schoechlin [ 2011 Nov 19 ]

Encryption is really important - without encryption it is a bit unprofessional to:

  • put zabbix-proxies offsite to monitor infrastructure from areas outsite the corporate network
  • to perform automatic actions like restarting services
  • to create items which have access to sensible data
Comment by Walter Heck [ 2012 Jan 16 ]

A frist version is ready, please see the forum post at http://www.zabbix.com/forum/showthread.php?t=20403 for more info.

Comment by Noah Leaman [ 2012 Apr 22 ]

I cannot understate how critical encryption (and auth) is for us to actually implement Zabbix in our environment. I'm more curious why such a feature is apparently not important enough to even be on a roadmap.

Here is the "gotcha" for any business looking to enlist Zabbix SIA consulting/development services: Without a messaging/transport security requirement being met first, having to justify costs for any consulting services is a very, very tough sell. Anyway it's pitched, it sounds like the business will have to pay development costs in order to just meet that requirement. But why would they get that far in the process if that requirement isn't met to begin with.

Comment by Michael Goodman [ 2012 Apr 22 ]

Noah – completely agreed. Any regulated environment (FISMA, SOX, HIPAA, etc.) requires this feature. And regulatory compliance is really the only thing fueling any purchase.

The lack of encryption limits the usefulness of this product to LAN environments, and further limits product functionality (e.g. having zabbix perform any automated action in response to an event).

This should be on the road map, and fairly high up there too.

For now, all zabbix traffic has to be tunneled, which makes administration and implementation a nightmare.

Comment by Walter Heck [ 2012 Apr 23 ]

We're in final testing stages for the authentication stuff. I apologise for moving slowly, but noone seems to be interested in helping us out (even though a lot of people want this feature) and I'm only a small self-funded startup. More information here: http://zabbix.org/wiki/Active_agent_authentication

We could still very much use help, either in testing or code reviewing. Some monetary help will be very much appreciated as well, I've personally invested quite a bit of money in this.

Comment by Airone [ 2012 May 04 ]

I agree that is fundamentals to have communication encrypted between agent, server and proxy.
I'll wait this feature to implement in my company, HP Operation Manager costs a lot of money but crypt the communcation channel and can be used in a big enterprise where the security is the first step to have professional products.

Comment by Walter Heck [ 2012 May 04 ]

So, if it is that important for you, how about supporting my effort with some finances? I'm just a self-funded startup who's paying dearly out of his own pocket to get this implemented.
We could even use a few hundred bucks to speed up development and testing of our code. I see a lot of people here saying they 'absolutely' need this feature, but nooone who is willing to put their money where their mouth is. Slightly disappointing if it could benefit so many.

Comment by Airone [ 2012 May 04 ]

Sorry I'm not able to support with finances this project. I' ll continue with HP products.

Comment by Raymond Kuiper [ 2012 May 04 ]

@Walter, I'm a private person and currently just a fan of Zabbix (nothing work related atm) so I won't be able to spend big on this. However, If you can open up a kickstarter or something like that (paypal donations, perhaps?), I'll chip in a few coins.
Advertise it on the forum like that, and maybe more people will chip in with (small) amounts of cash, thus enabling more testing?
If I can make it to the conf this year, I'll also buy you a beer for the effort

@Airone, You said yourself HP was overly expensive. Why not spend that money on getting this blocking issue out of the way and enjoy the excellent opensource software Zabbix is? It needs a community effort to get all the bits and pieces we want integrated into it, IMHO you hold the cards in your own hand.

Comment by Airone [ 2012 May 04 ]

@qix, I know that, but in big enterprise you need to have a company as HP that solve problem asap.
Look here we are blocked after 3 year on this request without have a roadmap.
However isn't possibile move cash to solve blocking issue in my company, but I will pay a beer to effort Walter with a donation

Comment by Walter Heck [ 2012 May 08 ]

@qix: won't make it to the conf this year unfortunately, but i'll take you up on that beer at some point

@Airone: well, if someone with an actual budget was to support this effort, I could finish it in the next month. The single reason this is dragging on forever is there's no support from anyone.

On a more technical note: I just received a message from my programmer, and we're facing a design choice: We have implemented authentication for active checks (they are initiated by the client). But what about passive checks? Currently we can go as far as not to have the server do passive checks for a client that failed auth in a previous active check. But there is no good model for only passive check agents. Personally I'm inclined to take a shortcut and not support that for now, since I only have active checks anyway. But the perfectionist in me wants to do this properly. Ideas are welcome..

Comment by richlv [ 2012 Jun 13 ]

this issue never specified the method, so i'll designate it as a pre-shared key one, and split out ssl and kerberos :

ZBXNEXT-1263 - ssl
ZBXNEXT-1264 - kerberos

Comment by Walter Heck [ 2012 Jul 16 ]

We finished our patch, now we need to get it back into zabbix. It's written against trunk, so it should be easy enough. We have done quite a bit of testing with an official tester and are quite confident about this. Feel free to give it a spin and tell us what you think: http://zabbix.org/wiki/Active_agent_authentication

Comment by Allen Chan [ 2012 Oct 26 ]

The company i work at is exploring PCI certification. This feature would go a long ways towards that.

Comment by Alexander J Sluiter [ 2013 Jan 02 ]

@Walter I too would love to see transport encryption and authentication between agents/servers. What needs to happen to get this feature into v2.x. I'm willing to pay for development if necessary.

Comment by richlv [ 2013 Jan 02 ]

for financing any feature or improvement for zabbix the best option is to contact [email protected]

Comment by Sébastien [ 2013 Mar 07 ]

Thanks for your work Walter !

Comment by Gareth Brown [ 2013 Aug 09 ]

Bump! Is there any plan to get this into a release yet? With public cloud environments used more and more. Especially with auto-registration (and de-register) of hosts in AWS for example, without this feature there is some clear and inherent risks involved.

Comment by richlv [ 2013 Aug 09 ]

this is not on the roadmap at this time. seems to be setting on this list without any noticeable progress : http://www.zabbix.com/development_services.php#active_projects

Comment by Stefan [ 2013 Aug 09 ]

yes.. one of the most voted feature request, and you said you must paid for, we will fixed/add only things that are lower rated.. nice..

Comment by Sergey Syreskin [ 2013 Aug 09 ]

Stefan, do you want Zabbix team work for free? Do you work for free? If your company needs this feature, you could talk to your boss, he would possibly allocate budget for funding the development of this feature. For years https://support.zabbix.com/browse/ZBXNEXT-1 was the most voted feature request and now it is in Zabbix 2.2. There will always be the most wanted feature until it is implemented.

Comment by richlv [ 2013 Aug 09 ]

we appreciate discussions, but let's have them on forums or irc
(having said that i'd like to note that zbxnext-1 was not financed by any company, it was implemented only because it was the highest-voted feature request at the time)

Comment by Raymond Kuiper [ 2014 May 17 ]

Please have a look at ZBXNEXT-2308. Implementing MQTT as a transport protocol will solve this problem and bring some other interesting functionality to Zabbix as well.

Comment by Andris Mednis [ 2014 Oct 29 ]

Raymond - you mean - rearchitect Zabbix for using message-queues in server/proxy/agent communications and find an MQTT library with built-in TLS support ?

Comment by Rafael Gomes [ 2014 Nov 11 ]

Reading this page[1], I got this:

"Does MQTT support security?
You can pass a user name and password with an MQTT packet in V3.1 of the protocol. Encryption across the network can be handled with SSL, independently of the MQTT protocol itself (it is worth noting that SSL is not the lightest of protocols, and does add significant network overhead). Additional security can be added by an application encrypting data that it sends and receives, but this is not something built-in to the protocol, in order to keep it simple and lightweight."

[1] - http://mqtt.org/faq

Comment by richlv [ 2015 Jan 15 ]

note that currently ZBXNEXT-1263 is planned to implement psk, too

Comment by Alexei Vladishev [ 2016 Feb 22 ]

This functionality was implemented in Zabbix 3.0.0 under ZBXNEXT-1263. Closing.

Comment by Aleksandrs Saveljevs [ 2016 Feb 22 ]

Reopening to set a resolution other than "Won't fix"...

Comment by Aleksandrs Saveljevs [ 2016 Feb 22 ]

A duplicate of ZBXNEXT-1263 seems to be a bit more appropriate.

Generated at Thu Mar 28 10:34:45 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.