Change dhparam from 512bits to 2048bits to make newer nrpe-clients happy

#! /bin/sh /usr/share/dpatch/dpatch-run
## 09_noremove_pid.dpatch by  <simon.deziel@gmail.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Do not remove the PID file after a connection error (original patch 
## DP: from Hiren Patel)

# Author: Hiren Patel
# From: http://comments.gmane.org/gmane.network.nagios.devel/6774
# Bug-Debian: #716949
# Bug-Ubuntu: https://launchpad.net/bugs/1126890

@DPATCH@

Gbp-Pq: Name 09_noremove_pid.dpatch

SECURITY

@@ -93,14 +93,17 @@ ENCRYPTION
 ----------
 
 If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
-   1.  Stunnel (see http://www.stunnel.org for more info)
-   2.  Native SSL support
+make sure that you encrypt communications either by using, for
+example, Stunnel (see http://www.stunnel.org for more info).
 
 Do NOT assume that just because the daemon is behind a firewall
 that you are safe!  Always encrypt NRPE traffic!
 
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
 
 USING ARGUMENTS
 ---------------

configure

@@ -6745,7 +6745,7 @@ _ACEOF
 				sslbin=$ssldir/bin/openssl
 			fi
 			# awk to strip off meta data at bottom of dhparam output
-			$sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
+			$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
 		fi
 	fi
 

configure.in

@@ -340,7 +340,7 @@ if test x$check_for_ssl = xyes; then
 				sslbin=$ssldir/bin/openssl
 			fi
 			# awk to strip off meta data at bottom of dhparam output
-			$sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
+			$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
 		fi
 	fi
 

sample-config/nrpe.cfg.in

@@ -23,7 +23,7 @@ log_facility=@log_facility@
 # number.  The file is only written if the NRPE daemon is started by the root
 # user and is running in standalone mode.
 
-pid_file=/var/run/nrpe.pid
+pid_file=/var/run/nagios/nrpe.pid
 
 
 
@@ -233,3 +233,14 @@ command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200
 #command[check_load]=@libexecdir@/check_load -w $ARG1$ -c $ARG2$
 #command[check_disk]=@libexecdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
 #command[check_procs]=@libexecdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+#
+# local configuration:
+#	if you'd prefer, you can instead place directives here
+include=/etc/nagios/nrpe_local.cfg
+
+# 
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+include_dir=/etc/nagios/nrpe.d/
+

src/nrpe.c

@@ -266,7 +266,7 @@ int main(int argc, char **argv){
 
 		/* use anonymous DH ciphers */
 		SSL_CTX_set_cipher_list(ctx,"ADH");
-		dh=get_dh512();
+		dh=get_dh2048();
 		SSL_CTX_set_tmp_dh(ctx,dh);
 		DH_free(dh);
 		if(debug==TRUE)
@@ -317,13 +317,13 @@ int main(int argc, char **argv){
 		/* log info to syslog facility */
 		syslog(LOG_NOTICE,"Starting up daemon");
 
+		/* drop privileges */
+		drop_privileges(nrpe_user,nrpe_group);
+
 		/* write pid file */
 		if(write_pid_file()==ERROR)
 			return STATE_CRITICAL;
 
-		/* drop privileges */
-		drop_privileges(nrpe_user,nrpe_group);
-
 		/* make sure we're not root */
 		check_privileges();
 
@@ -998,7 +998,7 @@ void wait_for_connections(void){
 						/* close socket prioer to exiting */
 						close(sock);
 			
-						return;
+                        exit(STATE_CRITICAL);
 						}
 
 					/* handle signals */
@@ -1022,7 +1022,7 @@ void wait_for_connections(void){
 				        /* close socket prior to exiting */
 						close(new_sd);
 
-						return;
+                        exit(STATE_CRITICAL);
 						}
 
 					/* is this is a blessed machine? */