On 2021/08/03 22:07, Martijn van Duren wrote: > On Tue, 2021-08-03 at 18:24 +0100, Stuart Henderson wrote: > > On 2021/06/15 17:39, Stuart Henderson wrote: > > > > Then again, I don't get the feeling many people use snmpd at this time > > > > and maybe it's a good moment to bite the bullet and go for safest > > > > defaults possible at this time. But if that's the case I would like to > > > > follow up with a diff to changes the default auth to hmac-sha512, > > > > because snmp drops trailing bytes of the result and enc to aes instead > > > > of des. > > > > > > This is the change that feels most likely to affect existing SNMPv3 users. > > > Support in management software beyond aes/sha1 is a bit lacking and prone > > > to incompatibility (I had issues with net-snmp and snmpd using hmac-sha256 > > > though it seems it will work with hmac-sha512..) > > > > BTW, having updated a few machines now, I am finding the change to > > sha2-256 by default to be a complete pain, especially considering that > > /etc/examples/snmpd.conf uses "enc aes" but has no setting for auth > > so relies on defaults for that.. > > > I can't do a lot with "a complete pain". > > Does something like the diff below make things more intuitive? If not, > could you be a little more concrete? > > martijn@ > > Index: snmpd.conf > =================================================================== > RCS file: /cvs/src/etc/examples/snmpd.conf,v > retrieving revision 1.1 > diff -u -p -r1.1 snmpd.conf > --- snmpd.conf 11 Jul 2014 21:20:10 -0000 1.1 > +++ snmpd.conf 3 Aug 2021 20:05:53 -0000 > @@ -18,7 +18,9 @@ system services 74 > oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Test" > oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1 > > -# Enable SNMPv3 USM with authentication, encryption and two defined users > -#seclevel enc > -#user "user1" authkey "password123" enc aes enckey "321drowssap" > -#user "user2" authkey "password456" enckey "654drowssap" > +# Create two SNMPv3 USM users: > +# User with default crypto values > +#user "defaultuser" authkey "password123" enckey "321drowssap" > +# User with backwards compatible crypto: > +# Only enable and use when client absolutely can't deal with modern defaults. > +#user "compatuser" authkey "password456" auth hmac-md5 enckey "654drowssap" > enc des > >
Given the lack of support for SHA2-256 in much management software until recently AES+SHA is a pretty common configuration. And given the old snmpd.conf example I think that is often done by copying/editing so just "enc aes" is there with no auth setting. Wondering if that part might not have been such a good change and what anyone else thinks..
