On Sun, 2021-06-20 at 09:18 -0600, Theo de Raadt wrote: > Please don't turn current.html into a series of essays. > > At most, the chunks in this page should highlight that something has changed. > What has changed? Keep it simple. People should be taught to re-read the > updated manual page. Thus the manual pages should be accurate. > > Using current.html as a learning center is doomed. Almost noone reads this.
Does this read better? Index: current.html =================================================================== RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1071 diff -u -p -r1.1071 current.html --- current.html 26 May 2021 12:12:58 -0000 1.1071 +++ current.html 20 Jun 2021 16:42:35 -0000 @@ -65,6 +65,37 @@ to update /etc/raddb/mods-available/eap lines. +<h3 id="r20210620">2021/06/20 - snmp security changes</h3> + +Default security settings in +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a> and +<a href="https://man.openbsd.org/snmp";>snmp(1)</a> have been tightened. + +<ul> +<li> +By default only SNMPv3 is enabled for +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a>. Desired message processing +subsystems can be enabled on a per listener basis; e.g. to enable a listener +with only SNMPv1/v2c read support set <code>listen on 127.0.0.1 snmpv1 snmpv2 +read</code>. + +<li> +Default communities have been removed from +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a>. To enable read queries via +the public community set <code>read-only community public</code>, in addition to +the <code>listen on</code> flags. + +<li> +<a href="https://man.openbsd.org/snmpd";>snmpd(8)</a>'s <code>seclevel</code> +default changed from <code>none</code> to <code>enc</code>. + +<li> +The default authentication has changed to SHA256 and the default encryption to +AES for both <a href="https://man.openbsd.org/snmpd";>snmpd(8)</a> and +<a href="https://man.openbsd.org/snmp";>snmp(1)</a>. +</ul> + + <!-- Two blank lines before new sections. New sentences start on new lines.
