On 2021/06/15 17:39, Stuart Henderson wrote: > > Then again, I don't get the feeling many people use snmpd at this time > > and maybe it's a good moment to bite the bullet and go for safest > > defaults possible at this time. But if that's the case I would like to > > follow up with a diff to changes the default auth to hmac-sha512, > > because snmp drops trailing bytes of the result and enc to aes instead > > of des. > > This is the change that feels most likely to affect existing SNMPv3 users. > Support in management software beyond aes/sha1 is a bit lacking and prone > to incompatibility (I had issues with net-snmp and snmpd using hmac-sha256 > though it seems it will work with hmac-sha512..)
BTW, having updated a few machines now, I am finding the change to sha2-256 by default to be a complete pain, especially considering that /etc/examples/snmpd.conf uses "enc aes" but has no setting for auth so relies on defaults for that..
