[ZBXNEXT-17] daemon communication encryption: psk Created: 2009 Jun 30 Updated: 2016 Feb 22 Resolved: 2016 Feb 22 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Agent (G), Proxy (P), Server (S) |
Affects Version/s: | None |
Fix Version/s: | None |
Type: | New Feature Request | Priority: | Major |
Reporter: | Szep csaba | Assignee: | Unassigned |
Resolution: | Duplicate | Votes: | 113 |
Labels: | encryption, security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
An encrypted communication between zabbix-server and agent would be great. I understand that I could use external tunneling (ssh, stunnel ), but it is not so straightforward solution. Builtint support would be far better. Thx edit (richlv) : encryption should be supported by all components : server (also node-node); note that this issue only deals with pre-shared key support. additional issues :
|
Comments |
Comment by Szep csaba [ 2009 Dec 01 ] |
Hello! Is there any plan to implement this feature? This feature was in 1.6 roadmap, but if i right remember it postponed to later release, but 1.8 is in feature freeze now and i not see it. Sorry for the noise... thx |
Comment by richlv [ 2009 Dec 01 ] |
this is a desirable feature, but unfortunately it won't be available in 1.8. |
Comment by Endre Szabo [ 2010 Apr 08 ] |
Well, the big shot if not the encryption itself. The main problem is with the authenticity of the agent communication. I suggest to use a lot simpler CRAM/HMAC md5/sha1/etc authentication that makes sure that the received agent message is in the case if implementing a complete SSL layer would take a lot time and work. In lot of cases using (thus implementing) SSL over a pre-existed VPN is a complete waste of time and money. So I vote for simple authentication first! |
Comment by Baskakov Alexey [ 2010 May 07 ] |
It would be great to have native SSL/TLS communication option between Zabbix agent and server. |
Comment by Andreas Calvo [ 2010 Oct 22 ] |
As said, even simple authentification would be great! |
Comment by richlv [ 2010 Nov 29 ] |
similar to |
Comment by Walter Heck [ 2011 Mar 11 ] |
Related discussion on the forum: http://www.zabbix.com/forum/showthread.php?t=20403&page=2 |
Comment by Pavel Stros [ 2011 Jun 17 ] |
I agree that even simple authentification based on a hash utilizing timestamp and shared secret would be great. |
Comment by Walter Heck [ 2011 Aug 12 ] |
We're working on this as a community contribution. I created a page on zabbix.org for it here: http://zabbix.org/wiki/Active_agent_authentication |
Comment by Jens Neuhalfen [ 2011 Nov 01 ] |
FYI: Lacking authentication ist the one and only reason, why I cannot use zabbix in my company (or any other company that has any security standards). Besides the actual risk of messing up with the collected data (not to speak of code execution on the agent), a major problem is politics: If anything happens with zabbix, the person responsible for zabbix is going to have a hard time defending against "well, actually anybody with access to our network has read/write access to our data (and can potentially execute commands on the agents). Ignoring such a basic thing as authenticated communication links implies that security is not that important to the project." |
Comment by Walter Heck [ 2011 Nov 01 ] |
Jens: get in touch with me at walter@tribily.com if you are interested in working on this. We have a group of zabbix users and companies who are working together on getting this fixed and implemented. |
Comment by Marc Schoechlin [ 2011 Nov 19 ] |
Encryption is really important - without encryption it is a bit unprofessional to:
|
Comment by Walter Heck [ 2012 Jan 16 ] |
A frist version is ready, please see the forum post at http://www.zabbix.com/forum/showthread.php?t=20403 for more info. |
Comment by Noah Leaman [ 2012 Apr 22 ] |
I cannot understate how critical encryption (and auth) is for us to actually implement Zabbix in our environment. I'm more curious why such a feature is apparently not important enough to even be on a roadmap. Here is the "gotcha" for any business looking to enlist Zabbix SIA consulting/development services: Without a messaging/transport security requirement being met first, having to justify costs for any consulting services is a very, very tough sell. Anyway it's pitched, it sounds like the business will have to pay development costs in order to just meet that requirement. But why would they get that far in the process if that requirement isn't met to begin with. |
Comment by Michael Goodman [ 2012 Apr 22 ] |
Noah – completely agreed. Any regulated environment (FISMA, SOX, HIPAA, etc.) requires this feature. And regulatory compliance is really the only thing fueling any purchase. The lack of encryption limits the usefulness of this product to LAN environments, and further limits product functionality (e.g. having zabbix perform any automated action in response to an event). This should be on the road map, and fairly high up there too. For now, all zabbix traffic has to be tunneled, which makes administration and implementation a nightmare. |
Comment by Walter Heck [ 2012 Apr 23 ] |
We're in final testing stages for the authentication stuff. I apologise for moving slowly, but noone seems to be interested in helping us out (even though a lot of people want this feature) and I'm only a small self-funded startup. More information here: http://zabbix.org/wiki/Active_agent_authentication We could still very much use help, either in testing or code reviewing. Some monetary help will be very much appreciated as well, I've personally invested quite a bit of money in this. |
Comment by Airone [ 2012 May 04 ] |
I agree that is fundamentals to have communication encrypted between agent, server and proxy. |
Comment by Walter Heck [ 2012 May 04 ] |
So, if it is that important for you, how about supporting my effort with some finances? I'm just a self-funded startup who's paying dearly out of his own pocket to get this implemented. |
Comment by Airone [ 2012 May 04 ] |
Sorry I'm not able to support with finances this project. I' ll continue with HP products. |
Comment by Raymond Kuiper [ 2012 May 04 ] |
@Walter, I'm a private person and currently just a fan of Zabbix (nothing work related atm) so I won't be able to spend big on this. However, If you can open up a kickstarter or something like that (paypal donations, perhaps?), I'll chip in a few coins. @Airone, You said yourself HP was overly expensive. Why not spend that money on getting this blocking issue out of the way and enjoy the excellent opensource software Zabbix is? It needs a community effort to get all the bits and pieces we want integrated into it, IMHO you hold the cards in your own hand. |
Comment by Airone [ 2012 May 04 ] |
@qix, I know that, but in big enterprise you need to have a company as HP that solve problem asap. |
Comment by Walter Heck [ 2012 May 08 ] |
@qix: won't make it to the conf this year unfortunately, but i'll take you up on that beer at some point @Airone: well, if someone with an actual budget was to support this effort, I could finish it in the next month. The single reason this is dragging on forever is there's no support from anyone. On a more technical note: I just received a message from my programmer, and we're facing a design choice: We have implemented authentication for active checks (they are initiated by the client). But what about passive checks? Currently we can go as far as not to have the server do passive checks for a client that failed auth in a previous active check. But there is no good model for only passive check agents. Personally I'm inclined to take a shortcut and not support that for now, since I only have active checks anyway. But the perfectionist in me wants to do this properly. Ideas are welcome.. |
Comment by richlv [ 2012 Jun 13 ] |
this issue never specified the method, so i'll designate it as a pre-shared key one, and split out ssl and kerberos :
|
Comment by Walter Heck [ 2012 Jul 16 ] |
We finished our patch, now we need to get it back into zabbix. It's written against trunk, so it should be easy enough. We have done quite a bit of testing with an official tester and are quite confident about this. Feel free to give it a spin and tell us what you think: http://zabbix.org/wiki/Active_agent_authentication |
Comment by Allen Chan [ 2012 Oct 26 ] |
The company i work at is exploring PCI certification. This feature would go a long ways towards that. |
Comment by Alexander J Sluiter [ 2013 Jan 02 ] |
@Walter I too would love to see transport encryption and authentication between agents/servers. What needs to happen to get this feature into v2.x. I'm willing to pay for development if necessary. |
Comment by richlv [ 2013 Jan 02 ] |
for financing any feature or improvement for zabbix the best option is to contact sales@zabbix.com |
Comment by Sébastien [ 2013 Mar 07 ] |
Thanks for your work Walter ! |
Comment by Gareth Brown [ 2013 Aug 09 ] |
Bump! Is there any plan to get this into a release yet? With public cloud environments used more and more. Especially with auto-registration (and de-register) of hosts in AWS for example, without this feature there is some clear and inherent risks involved. |
Comment by richlv [ 2013 Aug 09 ] |
this is not on the roadmap at this time. seems to be setting on this list without any noticeable progress : http://www.zabbix.com/development_services.php#active_projects |
Comment by Stefan [ 2013 Aug 09 ] |
yes.. one of the most voted feature request, and you said you must paid for, we will fixed/add only things that are lower rated.. nice.. |
Comment by Sergey Syreskin [ 2013 Aug 09 ] |
Stefan, do you want Zabbix team work for free? Do you work for free? If your company needs this feature, you could talk to your boss, he would possibly allocate budget for funding the development of this feature. For years https://support.zabbix.com/browse/ZBXNEXT-1 was the most voted feature request and now it is in Zabbix 2.2. There will always be the most wanted feature until it is implemented. |
Comment by richlv [ 2013 Aug 09 ] |
we appreciate discussions, but let's have them on forums or irc |
Comment by Raymond Kuiper [ 2014 May 17 ] |
Please have a look at ZBXNEXT-2308. Implementing MQTT as a transport protocol will solve this problem and bring some other interesting functionality to Zabbix as well. |
Comment by Andris Mednis [ 2014 Oct 29 ] |
Raymond - you mean - rearchitect Zabbix for using message-queues in server/proxy/agent communications and find an MQTT library with built-in TLS support ? |
Comment by Rafael Gomes [ 2014 Nov 11 ] |
Reading this page[1], I got this: "Does MQTT support security? [1] - http://mqtt.org/faq |
Comment by richlv [ 2015 Jan 15 ] |
note that currently |
Comment by Alexei Vladishev [ 2016 Feb 22 ] |
This functionality was implemented in Zabbix 3.0.0 under |
Comment by Aleksandrs Saveljevs [ 2016 Feb 22 ] |
Reopening to set a resolution other than "Won't fix"... |
Comment by Aleksandrs Saveljevs [ 2016 Feb 22 ] |
A duplicate of |