<div dir="ltr"><div dir="ltr">There is a commercial version, but this code is open source: <a href="https://github.com/saltstack/salt">https://github.com/saltstack/salt</a></div><div>I wasn't saying we use their code - although if the licence says that other open source projects can use it, then it is worth considering. It looks like it's using the Apache licence.<br></div><div><br clear="all"></div><div dir="ltr"><div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><span><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
<div style="text-align:left"><span style="font-size:12px"><span style="font-family:arial,helvetica,sans-serif">Kind regards,<br><br>SebA<br><br></span></span></div></div></div></div></div></div></div></span></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 12 Mar 2019 at 15:10, Bruce Ferrell <<a href="mailto:bferrell@baywinds.org">bferrell@baywinds.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">...And looking even closer at saltstack, it's a commercial product, leading to a possible trigger of "that's ours! cross our palms with MUCH silver" (probably based on OSS, but <br>
thats' never stopped anyone).<br>
<br>
Taking me back to "do it outside of xymon" for cleanliness sake.<br>
<br>
<br>
On 3/12/19 6:50 AM, SebA wrote:<br>
> The way Salt Minions authenticate and their keys have to be accepted on the Salt Master works pretty well. I don't believe they expire. It's been a while since I looked at it, <br>
> so I couldn't tell you exactly how it works, but there's some information here:<br>
> <a href="https://docs.saltstack.com/en/getstarted/system/communication.html" rel="noreferrer" target="_blank">https://docs.saltstack.com/en/getstarted/system/communication.html</a><br>
> Anyway, that model would probably work pretty well for Xymon, so long as the reporting client is not ephemeral.<br>
><br>
> Kind regards,<br>
><br>
> SebA<br>
><br>
><br>
><br>
> On Sat, 9 Mar 2019 at 02:10, Bruce Ferrell <<a href="mailto:bferrell@baywinds.org" target="_blank">bferrell@baywinds.org</a> <mailto:<a href="mailto:bferrell@baywinds.org" target="_blank">bferrell@baywinds.org</a>>> wrote:<br>
><br>
><br>
> I'm not sure which standard is in use here, so I'll just top post like Richard did. Please don't shoot me.<br>
><br>
><br>
> People always go for certs... And then they expire and stuff starts breaking or alerting right and left all at once. GACK!<br>
><br>
> For real hilarity, make them expire ten years out. By that time, no one even remembers that certs were even installed or what they're for. As the home loan industry said right<br>
> before the big crash, IBG, UBG (I be gone, you be gone).<br>
><br>
> From one who has had to deal with such mass silliness, take it from me, it's NO FUN and REALLY tedious to fix.<br>
><br>
> "But I'll just use the cert for tunnel authentication" I hear you say... If in-authentic communication (even self signed) isn't denied, do we care if it's signed really? If<br>
> we do<br>
> care then we deny communication/ignore messages. Now we've lost reporting links and visibility.<br>
><br>
> Some form of message authentication is probably a good idea though. Just something that doesn't expire and can be revoked as needed. gpg/pgp keys maybe, but then we get the<br>
> issue<br>
> of gpg/pgp key distribution/signing. Key per monitored system... Anyone want to manage THAT?<br>
><br>
><br>
><br>
><br>
> On 3/8/19 11:28 AM, Richard L. Hamilton wrote:<br>
> > In the ideal, esp. when the client may have a dynamic IP address (DHCP without reserved addresses, or mobile clients, for example), it would IMO also be really good if the<br>
> client reports could optionally be signed, with a certificate the server could verify, to give some confidence as to their actually coming from the client...not that that<br>
> assures that the actual client wasn't compromised, but it's better than nothing insofar as it at least gives good odds that misleading (or maliciously crafted) data from<br>
> elsewhere isn't being provided.<br>
> ><br>
> >> On Mar 8, 2019, at 11:09, Axel Beckert <<a href="mailto:abe@deuxchevaux.org" target="_blank">abe@deuxchevaux.org</a> <mailto:<a href="mailto:abe@deuxchevaux.org" target="_blank">abe@deuxchevaux.org</a>>> wrote:<br>
> >><br>
> >> Hi Ralph,<br>
> >><br>
> >> On Fri, Mar 08, 2019 at 10:40:55AM -0500, Ralph Mitchell wrote:<br>
> >>> I'd still like to see encrypted connections for Xymon client messages going<br>
> >>> to the server.<br>
> >> Yeah, this definitely is a feature which would be very nice to<br>
> >> available out of the box.<br>
> >><br>
> >> Nevertheless you can do that already now with stunnel as I mentioned:<br>
> >><br>
> >>>> (And yes, I'm still hoping and waiting for IPv6 support, too,<br>
> >>>> especially in xymonnet-based checks. Reporting to IPv6-only servers is<br>
> >>>> no issue though, if you anyways use stunnel to encrypt the<br>
> >>>> client-reporting traffic.)<br>
> >> Debian's xymon package ships /usr/share/doc/xymon/README.encryption<br>
> >> with hints how to implement encrypted reporting with Xymon.<br>
> >><br>
> >> The current version can be found in our packaging git repository at<br>
> >> <a href="https://salsa.debian.org/debian/xymon/blob/master/debian/README.encryption" rel="noreferrer" target="_blank">https://salsa.debian.org/debian/xymon/blob/master/debian/README.encryption</a><br>
> >> although I'm thinking about renaming it to <a href="http://README.encryption.md" rel="noreferrer" target="_blank">README.encryption.md</a> <<a href="http://README.encryption.md" rel="noreferrer" target="_blank">http://README.encryption.md</a>> as I<br>
> >> wrote it in Markdown syntax.<br>
> >><br>
> >> It also refers to this more detailed documentation:<br>
> >> <a href="https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling" rel="noreferrer" target="_blank">https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling</a><br>
> >><br>
> >> HTH!<br>
> >><br>
> >> Kind regards, Axel<br>
><br>
> _______________________________________________<br>
> Xymon mailing list<br>
> <a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a> <mailto:<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a>><br>
> <a href="http://lists.xymon.com/mailman/listinfo/xymon" rel="noreferrer" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
><br>
<br>
</blockquote></div>