[ZBXNEXT-3497] auto-registration with TLS (PSK) Created: 2016 Oct 14 Updated: 2024 Apr 10 Resolved: 2019 Oct 28 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Agent (G), Frontend (F), Server (S) |
Affects Version/s: | 3.2.1 |
Fix Version/s: | 4.4.0alpha3, 4.4 (plan) |
Type: | New Feature Request | Priority: | Major |
Reporter: | Isaac Puch Rojo | Assignee: | Andris Mednis |
Resolution: | Fixed | Votes: | 35 |
Labels: | actions, autoregistration, encryption, tls | ||
Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
Environment: |
Try on Ubuntu 16.04, but I is not relevant |
Attachments: | 020-agent-sends-clear.patch | ||||||||||||||||||||
Issue Links: |
|
||||||||||||||||||||
Sub-Tasks: |
|
||||||||||||||||||||
Team: | Team A | ||||||||||||||||||||
Team: | Team A | ||||||||||||||||||||
Sprint: | Sprint 56 (Sep 2019), Sprint 55 (Aug 2019), Sprint 54 (Jul 2019) | ||||||||||||||||||||
Story Points: | 8 |
Description |
It would be great, that you can define a PSK on the auto-registration. |
Comments |
Comment by Andris Mednis [ 2016 Oct 21 ] |
Today on IRC a user described a workaround for setting encryption after auto-registration (slightly edited version): <fayazabdul> hi, I need to run a custom script on zabbix master as part of auto registration. In general auto registration works fine but I want to invoke the script to add and do some other actions, script itself is not being called. <ccooke> fayazabdul: The easiest way to do that right now is to create a special media type for each distinct thing you need to do, then create an automation user to hang them from. <AmiralThrawn> ccooke: can you share that custom script for auto-registration and encryption setting ? <ccooke> This one? https://gist.github.com/ccooke/4091eea6db0acdcfcefadd631c0e9397 <AmiralThrawn> ccooke: thanks .. so using the api on itself to set encryption. nice <ccooke> yeah. That bit of the API is actually semi-undocumented (or was, when I wrote this), but a bit of poking found the right stuff. |
Comment by Marco Agostani [ 2016 Dec 13 ] |
permit to send clear autoregistration to a tls configured agent |
Comment by Marco Agostani [ 2016 Dec 13 ] |
If someone is interested in .. I made a small patch that permit to an encrypted agent to send the 1st packet, the one containing metadata, in clear. |
Comment by Glebs Ivanovskis (Inactive) [ 2017 Feb 17 ] |
Duplicate |
Comment by Marco Agostani [ 2017 Feb 20 ] |
This is not entirely the same case.. |
Comment by Naruto [ 2017 Apr 11 ] |
This should be done natively by the Zabbix protocols. What would be the most elegant solution to this problem? |
Comment by Sebastian Treu [ 2017 Apr 11 ] |
It's a weird decision to make an auto-registration feature where you need then modify the agent in order to have a secured/encrypted connection. I guess that zabbix lacks a way, at least for community edition, to autoregister zabbix agent seamlessly. Any idea on this feature? |
Comment by Marco Agostani [ 2017 Apr 12 ] |
Having the possibility to encrypt also the autoregistration packet should be a good security feature and I suggest to implement it. Anyway we start to use our solution (with agent patched) on more then 900 sites around the world and we're satisfied with it. |
Comment by Sebastian Treu [ 2017 Apr 12 ] |
@Marco, I've read your patch and it's an interesting solution. I think the hardest is to create the whole toolchain to build and compile the agent for every platform. Nice workaround! |
Comment by Steen Schütt [ 2017 Nov 08 ] |
Wouldn't it make sense to simply use TLS with the Zabbix server's certificate when sending the initial auto registration message, and then enable the agent to generate a PSK and share it with the server over this TLS connection to permanently enable encryption? |
Comment by Marco Agostani [ 2018 Dec 11 ] |
@Steen, Autoregistration just right now goes to server ports (or proxy ) and are accepted only in zabbix protocol w/o encryption. Using API through TLS should be another solution, but you've to create your autoconfiguration script that create host and keys via API, and of course having api user and password stored in you remote systems. Cheers Marco |
Comment by James Howe [ 2019 Jan 11 ] |
A secure solution would be so set a PSK/cert for a hostgroup/template/globally on the zabbix server, you can then trust any agent able to authenticate to autoregister itself. |
Comment by Andy Booth [ 2019 Mar 24 ] |
A "trivial" ticket priority seems odd here, as this feature is required for bulk auto-registration and bulk discovery in environments where host <> server comms must be encrypted. Auto-registration and discovery are there to remove the need for manually adding hosts, but the lack of any kind of template or group based encryption feature means that all hosts requiring encrypted comms must be visited in Zabbix. Compare that with a script-based deployment / update of Zabbix agents to machines in a group etc via GPO in Windows, or an ansible playbook in Linux. Please can the priority of this ticket be raised? |
Comment by Andris Mednis [ 2019 Aug 02 ] |
Available in development branch feature/ Pull request [ZBXNEXT-3497] added support of PSK-based encryption in autoregistration |
Comment by Andris Mednis [ 2019 Oct 14 ] |
Fixed in:
|
Comment by Alexander Vladishev [ 2019 Oct 28 ] |
Updated documentation: |