On Tue, 2021-08-03 at 21:58 +0100, Stuart Henderson wrote: > On 2021/08/03 22:07, Martijn van Duren wrote: > > On Tue, 2021-08-03 at 18:24 +0100, Stuart Henderson wrote: > > > On 2021/06/15 17:39, Stuart Henderson wrote: > > > > > Then again, I don't get the feeling many people use snmpd at this time > > > > > and maybe it's a good moment to bite the bullet and go for safest > > > > > defaults possible at this time. But if that's the case I would like to > > > > > follow up with a diff to changes the default auth to hmac-sha512, > > > > > because snmp drops trailing bytes of the result and enc to aes instead > > > > > of des. > > > > > > > > This is the change that feels most likely to affect existing SNMPv3 > > > > users. > > > > Support in management software beyond aes/sha1 is a bit lacking and > > > > prone > > > > to incompatibility (I had issues with net-snmp and snmpd using > > > > hmac-sha256 > > > > though it seems it will work with hmac-sha512..) > > > > > > BTW, having updated a few machines now, I am finding the change to > > > sha2-256 by default to be a complete pain, especially considering that > > > /etc/examples/snmpd.conf uses "enc aes" but has no setting for auth > > > so relies on defaults for that.. > > > > > I can't do a lot with "a complete pain". > > > > Does something like the diff below make things more intuitive? If not, > > could you be a little more concrete? > > > > martijn@ > > > > Index: snmpd.conf > > =================================================================== > > RCS file: /cvs/src/etc/examples/snmpd.conf,v > > retrieving revision 1.1 > > diff -u -p -r1.1 snmpd.conf > > --- snmpd.conf 11 Jul 2014 21:20:10 -0000 1.1 > > +++ snmpd.conf 3 Aug 2021 20:05:53 -0000 > > @@ -18,7 +18,9 @@ system services 74 > > oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Test" > > oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1 > > > > -# Enable SNMPv3 USM with authentication, encryption and two defined users > > -#seclevel enc > > -#user "user1" authkey "password123" enc aes enckey "321drowssap" > > -#user "user2" authkey "password456" enckey "654drowssap" > > +# Create two SNMPv3 USM users: > > +# User with default crypto values > > +#user "defaultuser" authkey "password123" enckey "321drowssap" > > +# User with backwards compatible crypto: > > +# Only enable and use when client absolutely can't deal with modern > > defaults. > > +#user "compatuser" authkey "password456" auth hmac-md5 enckey > > "654drowssap" enc des > > > > > > Given the lack of support for SHA2-256 in much management software until > recently AES+SHA is a pretty common configuration. And given the old > snmpd.conf > example I think that is often done by copying/editing so just "enc aes" is > there > with no auth setting. Wondering if that part might not have been such a good > change and what anyone else thinks.. > I think that these management software applications should join 2016 and start implementing it and until then its just two or four minor keywords per user. But I'm not a heavy user of 3rd party mangement software.
Also note that the first time I suggested changing the defaults[0] I offered to help with getting perl's snmp into shape. That offer still stands with the same caveats. Similar for other open source software that I'm not aware of. [0] https://marc.info/?l=openbsd-tech&m=157226549212943&w=2
