Nagios NRPE – Debian Jessie: Command arguments not working

On Debian Jessie server, the NRPE checks didn’t work like Wheezy server.
Enabling the debug log (debug=1) of NRPE revealed:

Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Connection from monitoringserver port 24011 
Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Host address is in allowed_hosts 
Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Handling the connection... 
Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Error: Request contained command arguments! 
Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Client request was invalid, bailing out... 
Jun 25 11:30:02 irhtsrvp01 nrpe[7135]: Connection from ... closed.

As I am using the same basic configuration of nrpe.cfg everywhere, I double-checked if I mistakenly disabled the “dont_blame_nrpe” setting.
But nope.
Then I came across this Debian bug report (756479). The maintainer of the nagios-nrpe-server package disabled the command arguments by compiling the package without the –enable-command-args option.
While the reason sounds plausible…

“This feature has several security problems and is often used wrong.”

… it punishes every other user who used this feature correctly.

Here the steps to recompile the package.

1) Add the deb-src line into your /etc/apt/sources.list file, if it doesn’t exist yet:

# deb-src http://http.debian.net/debian jessie main

Update the repository list afterwards:

# apt-get update

2) Install the build tools and dependencies needed to compile the package:

# apt-get install build-essential devscripts debhelper libssl-dev dpatch libwrap0-dev autotools-dev

3) Symlink the openssl library:

# ln -s /usr/lib/x86_64-linux-gnu/libssl.so /usr/lib/libssl.so

4) Download the nagios-nrpe-server source package:

# apt-get source nagios-nrpe-server

The files will be downloaded into the current directory.

5) Change into the package directory and adapt the debian/rules file:

# cd nagios-nrpe-2.15/; vi debian/rules

At the end of the “override_dh_auto_configure” the “–enable-command-args” need to be added:

override_dh_auto_configure: 
        ./configure \ 
                --prefix=/usr \ 
                --enable-ssl \ 
                --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \ 
                --sysconfdir=/etc \ 
                --localstatedir=/var \ 
                --libexecdir=/usr/lib/nagios/plugins \ 
                --libdir=/usr/lib/nagios \ 
                --enable-command-args

6) Save and Exit. Edit the changelog:

# dch -i

This command will ask you to enter information what exactly you have done to this package. Example:

nagios-nrpe (2.15-1.1) UNRELEASED; urgency=medium 

  * Non-maintainer upload. 
  * Recompile with --enable-command-args 

 -- Author  Wed, 25 Jun 2016 11:42:40 +0200

7) Compile and create the package:

# ./configure 
# make all 
# dpkg-buildpackage

8) Move one directory up and you will see the newly created files:

# cd ..; ll | grep 2.15-1.1 
-rw-r--r-- 1 root root   1748 Jun 25 11:47 nagios-nrpe_2.15-1.1_amd64.changes 
-rw-r--r-- 1 root root  11580 Jun 25 11:47 nagios-nrpe_2.15-1.1.diff.gz 
-rw-r--r-- 1 root root   1104 Jun 25 11:47 nagios-nrpe_2.15-1.1.dsc 
-rw-r--r-- 1 root root  19022 Jun 25 11:47 nagios-nrpe-plugin_2.15-1.1_amd64.deb 
-rw-r--r-- 1 root root  39268 Jun 25 11:47 nagios-nrpe-server_2.15-1.1_amd64.deb

By looking at the .changes file, we can see the previously entered changelog entry and the different checksums of the changed files:

# cat nagios-nrpe_2.15-1.1_amd64.changes 
Format: 1.8 
Date: Wed, 25 Jun 2016 11:42:40 +0200 
Source: nagios-nrpe 
Binary: nagios-nrpe-server nagios-nrpe-plugin 
Architecture: source amd64 
Version: 2.15-1.1 
Distribution: UNRELEASED 
Urgency: medium 
Maintainer: Debian Nagios Maintainer Group <[email protected]>
Changed-By: Author
Description: 
 nagios-nrpe-plugin - Nagios Remote Plugin Executor Plugin 
 nagios-nrpe-server - Nagios Remote Plugin Executor Server 
Changes: 
 nagios-nrpe (2.15-1.1) UNRELEASED; urgency=medium 
 . 
   * Non-maintainer upload. 
   * Recompile with --enable-command-args 
Checksums-Sha1: 
 dd57d896cc4698a150cb55696f6fd3f9db80ab71 1104 nagios-nrpe_2.15-1.1.dsc 
 b0928ac497f4670ca74a5f59df0a8692387b156b 11580 nagios-nrpe_2.15-1.1.diff.gz 
 3360ef223a15cc3cb31764d7f058e13f71d5c36f 39268 nagios-nrpe-server_2.15-1.1_amd64.deb 
 296a826c17e688f3b36cebb6d299a0d7f0443656 19022 nagios-nrpe-plugin_2.15-1.1_amd64.deb 
Checksums-Sha256: 
 682d43491235d65130499eb16a5fbcc1424d4664e59217fefa1cec05acc17d70 1104 nagios-nrpe_2.15-1.1.dsc 
 a0a73a17d8f6031b098f4eaa9e1482e3feef370fd7325321d8df8276224554a1 11580 nagios-nrpe_2.15-1.1.diff.gz 
 67d62603bfa99c5b57ac7c180ed4d77a268d6de59d235ae22028ef77360f8c09 39268 nagios-nrpe-server_2.15-1.1_amd64.deb 
 e96c99a46904a2f7986d17624ab9b7e99137bd4c6c582fa9474b32400e5a3457 19022 nagios-nrpe-plugin_2.15-1.1_amd64.deb 
Files: 
 3ffc7ee400afd760c795ec77ef65ebbc 1104 net optional nagios-nrpe_2.15-1.1.dsc 
 1f2d8b45af2d4aed8d8fea2d6ebe1348 11580 net optional nagios-nrpe_2.15-1.1.diff.gz 
 4ad15e0dcecedfd3f15a5b91bc4a594f 39268 net optional nagios-nrpe-server_2.15-1.1_amd64.deb 
 a6f2e11f0516a4a6c05b4e3832df3281 19022 net optional nagios-nrpe-plugin_2.15-1.1_amd64.deb

9) The deb package can now be installed:

# dpkg -i nagios-nrpe-server_2.15-1.1_amd64.deb 
Selecting previously unselected package nagios-nrpe-server. 
(Reading database ... 26533 files and directories currently installed.) 
Preparing to unpack nagios-nrpe-server_2.15-1.1_amd64.deb ... 
Unpacking nagios-nrpe-server (2.15-1.1) ... 
Setting up nagios-nrpe-server (2.15-1.1) ... 
[ ok ] Starting nagios-nrpe: nagios-nrpe. 
Processing triggers for man-db (2.7.0.2-5) ...

# dpkg -l | grep nrpe 
ii  nagios-nrpe-server      2.15-1.1         amd64        Nagios Remote Plugin Executor Server