On Sun, 2021-06-20 at 12:58 +0100, Stuart Henderson wrote: > Index: current.html > =================================================================== > RCS file: /cvs/www/faq/current.html,v > retrieving revision 1.1071 > diff -u -p -r1.1071 current.html > --- current.html 26 May 2021 12:12:58 -0000 1.1071 > +++ current.html 20 Jun 2021 11:58:05 -0000 > @@ -65,6 +65,36 @@ to update /etc/raddb/mods-available/eap > lines. > > > +<h3 id="r20210620">2021/06/20 - snmpd authentication changes</h3> > + > +Default authentication settings in <a
I'd go with the wider term security, because forcing encryption is more then just authentication. > +href="https://man.openbsd.org/snmpd";>snmpd(8)</a> have been tightened. > +You may need to adjust > +<a href="https://man.openbsd.org/snmpd.conf.5";>snmpd.conf(5)</a> and/or > +configuration of your SNMP management stations. > +Preferably use SNMPv3 with AES/SHA-256 or better.<p> > + > +For SNMPv1/v2c, previously it responded to requests for communities named > +"public" or "private" unless alternative communities were set; this has > +changed so that there are no default communities. > +If you would like it to continue to respond to the community named "public" > +then set <code>read-only community public</code> (do not use this if the > +service is accessible from the internet; UDP SNMP with insecure > +authentication is a potent packet amplifier). <code>read-write > +disabled</code> has been removed as this is now the default.<p> This misses that not only are the communities disabled by default, but the entire MPS is disabled and can only be enabled on a per listener basis. Also, it might be implied in the text above, but should we also put some extra emphasis on "trap handle" and "trap receiver"? The former always requiring enabling SNMPv{1,2c} on the listener and "trap community" and the letter requiring "trap community" if "community <string>" isn't given on the trap receiver line. Bit on the fense for this one. > + > +For SNMPv3, previously it responded to SNMPv3 "noAuthNoPriv" requests > +(without authentication) unless "seclevel" was used. > +This has changed to requiring authentication and encryption by > +default. > +If you would like it to continue to respond without authentication, > +set <code>seclevel none</code>. > +If you would like it to respond with authentication but without > +requiring encryption, set <code>seclevel auth</code>. > +The default authentication has changed to <code>hmac-sha256</code> > +and the default encryption to <code>AES</code>. This also changed for snmp(1). > + > + > <!-- > Two blank lines before new sections. > New sentences start on new lines. > Maybe something like this? martijn@ Index: current.html =================================================================== RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1071 diff -u -p -r1.1071 current.html --- current.html 26 May 2021 12:12:58 -0000 1.1071 +++ current.html 20 Jun 2021 15:00:12 -0000 @@ -65,6 +65,45 @@ to update /etc/raddb/mods-available/eap lines. +<h3 id="r20210620">2021/06/20 - snmpd authentication changes</h3> + +Default security settings in +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a> and +<a href="https://man.openbsd.org/snmp";>snmp(1)</a> have been tightened. +You may need to adjust +<a href="https://man.openbsd.org/snmpd.conf.5";>snmpd.conf(5)</a> and/or +configuration of your SNMP management stations. +Preferably use SNMPv3 with AES/SHA-256 or better. + +<p> +By default only SNMPv3 is enabled. Desired message processing subsystems can be +enabled on a per listener basis; e.g. to enable a listener with only SNMPv1/v2c +read support set <code>listen on 127.0.0.1 snmpv1 snmpv2 read</code>. + +<p> +For SNMPv1/v2c, previously it responded to requests for communities named +"public" or "private" unless alternative communities were set; this has changed +so that there are no default communities. If you would like it to continue to +respond to the community named "public" then set <code>read-only community +public</code> (do not use this if the service is accessible from the internet; +UDP SNMP with insecure authentication is a potent packet amplifier). +<code>read-write disabled</code> has been removed as this is now the default. + +<p> +For SNMPv3, previously it responded to SNMPv3 "noAuthNoPriv" requests (without +authentication) unless "seclevel" was used. This has changed to requiring +authentication and encryption by default. If you would like it to continue to +respond without authentication, set <code>seclevel none</code>. If you would +like it to respond with authentication but without requiring encryption, set +<code>seclevel auth</code>. + +<p> +The default authentication has changed to <code>hmac-sha256</code> and the +default encryption to <code>AES</code> for both +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a> and +<a href="https://man.openbsd.org/snmp";>snmp(1)</a>. + + <!-- Two blank lines before new sections. New sentences start on new lines.
