On Tue, 2021-08-03 at 18:24 +0100, Stuart Henderson wrote: > On 2021/06/15 17:39, Stuart Henderson wrote: > > > Then again, I don't get the feeling many people use snmpd at this time > > > and maybe it's a good moment to bite the bullet and go for safest > > > defaults possible at this time. But if that's the case I would like to > > > follow up with a diff to changes the default auth to hmac-sha512, > > > because snmp drops trailing bytes of the result and enc to aes instead > > > of des. > > > > This is the change that feels most likely to affect existing SNMPv3 users. > > Support in management software beyond aes/sha1 is a bit lacking and prone > > to incompatibility (I had issues with net-snmp and snmpd using hmac-sha256 > > though it seems it will work with hmac-sha512..) > > BTW, having updated a few machines now, I am finding the change to > sha2-256 by default to be a complete pain, especially considering that > /etc/examples/snmpd.conf uses "enc aes" but has no setting for auth > so relies on defaults for that.. > I can't do a lot with "a complete pain".
Does something like the diff below make things more intuitive? If not, could you be a little more concrete? martijn@ Index: snmpd.conf =================================================================== RCS file: /cvs/src/etc/examples/snmpd.conf,v retrieving revision 1.1 diff -u -p -r1.1 snmpd.conf --- snmpd.conf 11 Jul 2014 21:20:10 -0000 1.1 +++ snmpd.conf 3 Aug 2021 20:05:53 -0000 @@ -18,7 +18,9 @@ system services 74 oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Test" oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1 -# Enable SNMPv3 USM with authentication, encryption and two defined users -#seclevel enc -#user "user1" authkey "password123" enc aes enckey "321drowssap" -#user "user2" authkey "password456" enckey "654drowssap" +# Create two SNMPv3 USM users: +# User with default crypto values +#user "defaultuser" authkey "password123" enckey "321drowssap" +# User with backwards compatible crypto: +# Only enable and use when client absolutely can't deal with modern defaults. +#user "compatuser" authkey "password456" auth hmac-md5 enckey "654drowssap" enc des
