By default, snmpd responds to the frequently abused community strings
"public" and "private".
To prevent this, at present you must either use "seclevel auth" or
"seclevel enc" (if you would like to only use SNMPv3), set an explicit
string for the read-only community, or set either an explicit string
or "disabled" for the read-write community.
I would like to remove the defaults. If somebody really wants to use
the strings "public" or "private" they can set them themselves. The
internet doesn't need any more unintentional UDP amplifiers than
necessary.
Additionally if somebody goes to the trouble of configuring SNMPv3,
the common use case is to want authentication+encryption; anything
wider than that, it's reasonable to expect the user to make it
explicit, so I've changed it to "seclevel enc" by default iff an
SNMPv3 user is created.
This works as expected in the use-cases I've tried. Any concerns/
comments/OKs? (I'll write an faq/current.html entry if it goes in).
Note, it's not possible to require auth+enc for SNMPv3 requests while
also allowing SNMPv1/2; that isn't new and I haven't changed it.
Index: usr.sbin/snmpd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/parse.y,v
retrieving revision 1.63
diff -u -p -r1.63 parse.y
--- usr.sbin/snmpd/parse.y 22 Jan 2021 06:33:26 -0000 1.63
+++ usr.sbin/snmpd/parse.y 14 Jun 2021 11:49:33 -0000
@@ -266,6 +266,9 @@ main : LISTEN ON listenproto
free($2);
YYERROR;
}
+ if (conf->sc_min_seclevel == -1)
+ conf->sc_min_seclevel =
+ (SNMP_MSGFLAG_AUTH | SNMP_MSGFLAG_PRIV);
} userspecs {
const char *errstr;
if (usm_checkuser(user, &errstr) < 0) {
@@ -1112,10 +1115,8 @@ parse_config(const char *filename, u_int
conf->sc_flags = flags;
conf->sc_confpath = filename;
TAILQ_INIT(&conf->sc_addresses);
- strlcpy(conf->sc_rdcommunity, "public", SNMPD_MAXCOMMUNITYLEN);
- strlcpy(conf->sc_rwcommunity, "private", SNMPD_MAXCOMMUNITYLEN);
- strlcpy(conf->sc_trcommunity, "public", SNMPD_MAXCOMMUNITYLEN);
TAILQ_INIT(&conf->sc_trapreceivers);
+ conf->sc_min_seclevel = -1;
if ((file = pushfile(filename, 0)) == NULL) {
free(conf);
@@ -1155,6 +1156,9 @@ parse_config(const char *filename, u_int
log_warnx("notify listener needs at least one trap handler");
free(conf);
return (NULL);
+ }
+ if (conf->sc_min_seclevel == -1) {
+ conf->sc_min_seclevel = 0;
}
/* Free macros and check which have not been used. */
Index: usr.sbin/snmpd/snmpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
retrieving revision 1.47
diff -u -p -r1.47 snmpd.conf.5
--- usr.sbin/snmpd/snmpd.conf.5 9 Mar 2021 18:18:55 -0000 1.47
+++ usr.sbin/snmpd/snmpd.conf.5 14 Jun 2021 11:49:33 -0000
@@ -136,12 +136,10 @@ set requires at least one
statement.
.It Ic read-only community Ar string
Specify the name of the read-only community.
-The default value is
-.Ar public .
+There is no default value.
.It Ic read-write Pq Ic community Ar string Ic | disabled
Specify the name of the read-write community, or disallow writes completely.
-The default value is
-.Ar private .
+There is no default value.
.It Ic seclevel Pq Ic none | auth | enc
Specify the lowest security level that
.Xr snmpd 8
@@ -149,7 +147,7 @@ accepts:
.Bl -tag -width "auth" -offset ident
.It Ic none
Both authentication and encryption of messages is optional.
-This is the default value.
+This is the default value if an SNMPv3 user is not configured.
.It Ic auth
Authentication of messages is mandatory.
.Xr snmpd 8
@@ -158,6 +156,7 @@ Encryption of messages is optional.
.It Ic enc
Messages must be encrypted and must have a valid digest for authentication.
Otherwise they will be discarded.
+This is the default value if an SNMPv3 user is configured.
.El
.Pp
If the chosen value is different from
@@ -206,8 +205,7 @@ description in the SNMP MIB for details.
.\"XXX describe the complicated services alg here
.It Ic trap community Ar string
Specify the name of the trap community.
-The default value is
-.Ar public .
+There is no default value.
.It Ic trap handle Ar oid Qq Ar command
Execute
.Ic command
@@ -330,6 +328,7 @@ to listen on localhost, override the def
magic services value and provides some custom OID values:
.Bd -literal -offset indent
listen on 127.0.0.1
+read community public
system oid 1.3.6.1.4.1.30155.23.2
system services 74
Index: regress/usr.sbin/snmpd/snmpd.sh
===================================================================
RCS file: /cvs/src/regress/usr.sbin/snmpd/snmpd.sh,v
retrieving revision 1.13
diff -u -p -r1.13 snmpd.sh
--- regress/usr.sbin/snmpd/snmpd.sh 22 Jan 2021 06:35:26 -0000 1.13
+++ regress/usr.sbin/snmpd/snmpd.sh 14 Jun 2021 11:49:33 -0000
@@ -72,6 +72,11 @@ listen on ::1 notify
# Specify a number of trap receivers
trap receiver localhost
+# Specify communities
+read-only community public
+read-write community private
+trap community public
+
trap handle 1.2.3.4 "/usr/bin/touch ${TMPFILE}"
EOF
@@ -130,7 +135,7 @@ carp_allow="$(eval $snmp_command)"
carp_allow="${carp_allow##.1.3.6.1.4.1.30155.6.1.1.0 }"
if [ "$carp" -ne "$carp_allow" ]
then
- echo "Retrieval of carp.allow with default ro cummunity string failed."
+ echo "Retrieval of carp.allow with default ro community string failed."
FAILED=1
fi
@@ -288,7 +293,7 @@ carp_allow="$(eval $snmp_command)"
carp_allow="${carp_allow##.iso.org.dod.internet.private.enterprises.openBSD.carpMIBObjects.carpSysctl.carpAllow.0
= }"
if [ "$carp" -ne "$carp_allow" ]
then
- echo "Retrieval test with default ro cummunity string failed."
+ echo "Retrieval test with default ro community string failed."
FAILED=1
fi
