[hobbit] Alternate to msgcache/hobbitfetch?

Charles Jones jonescr at cisco.com
Tue Jun 5 21:24:09 CEST 2007


Random thoughts on msgcache and alternatives:

1. SSH tunnels are nice, as they encrypt the data transfers*

2. SSH tunnels are a pain in some ways, imagine managing 1000+ tunnels. 
Even if you have autossh to help keep them up, it's fairly 
resource-intensive to have thousands of ssh tunnels constantly 
established from your server to remote hosts.

3. I would imagine it's not a simple thing to modify hobbit to do 
everything over an "on-demand" ssh tunnel, because Hobbit does more than 
just ssh to a host, running the client script, and parsing the output.  
There is also all the other hobbit protocol stuff like pushing out new 
clients, logfile monitoring, etc.

4. If Hobbit could do things via ssh, it would be much easier to deal 
with firewalls, as there are usually already rules in place for ssh, and 
if not it usually doesn't raise any serious flags with infosec if you 
request ssh access.

*5. Regardless, I would like to see some sort of encryption of the 
hobbit protocol. Nothing extreme, just not plaintext. Even a simple XOR 
of the data, or, even better, the server and clients could have a 
hobbit-security.conf where a key was defined, and all data would be 
XOR'd with this key. XORing data is easy to do in C and not resource 
intensive. This should satisfy the folks who worry about sending the 
contents of their logfiles and other sensitive information over the network.

That's my ramblings for the day :)
-Charles



More information about the Xymon mailing list