On 2021/08/08 10:05, Martijn van Duren wrote:
> > +++ etc/examples/snmpd.conf 7 Aug 2021 21:45:44 -0000
> > @@ -1,24 +1,26 @@
> > # $OpenBSD: snmpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
> >
> > -listen_addr="127.0.0.1"
> > +# Default is to listen to all addresses for SNMPv3 only; "listen on"
> > +# can be used multiple times. See snmpd.conf(5) for more options.
> > +#listen on 0.0.0.0 snmpv2c # All IPv4 addresses with SNMPv2c
> > +#listen on :: snmpv2c snmpv3 # All IPv6 addresses, both v2c + v3
> > +#listen on 127.0.0.1 # IPv4 localhost only, v3
>
> This is probably is a bad example.
> Reading it like this: you're correct that we listen on all interfaces
> by default, but that's not listed in snmpd.conf(5). So that should
> probably be fixed (including mentioning that setting one "listen on"
> disables the all interfaces default).
Let's handle that separately. (it would be convenient to support
"any" to mean any v4+v6 as well).
> Second, your examples enable snmpv2c on all interfaces, while you
> enable an implicit snmpv3 on 127.0.0.1. This should probably be the
I wasn't intending that they should all be uncommented at once,
just showing some common options. And actually it seems snmpd
doesn't allow listening to 0.0.0.0 as well as a specific v4 address
(and similarly for :: and v6) so while it's a convenient idea to
allow v2c on localhost for quick testing while using v3 for external
traffic, it doesn't actually work.
> other way around, or replace 127.0.0.1 with something like
> "listen on 192.168.0.2 snmpv2c" to map with source-address by trap
> receiver. And an additional
> "listen on 0.0.0.0
> listen on ::"
> to make it clear that snmpv2c should only be enabled on internal
> networks, but snmpv3 is less of a problem.
For users who haven't got round to figuring out SNMPv3 yet, they'll
need to know how to listen with v2c, so I think that's still going
to be quite a common use case. Hence including that specifically.
> > -# Specify a number of trap receivers
> > -#trap receiver nms.localdomain.local
> > +# Enable SNMPv3 USM with authentication, encryption and two defined users
>
> This sentence feels wrong, it is enabled by default.
> Also, since we only enable SNMPv3 by default, maybe also make it
> clear that at least one user should be created? Something like:
> # SNMPv3 USM users. At least one user should be created to use SNMPv3.
> > +#seclevel enc
>
> This is the default and if we would ever change this default back (I
> can't imagine we ever will, but who knows) it still wouldn't break.
> So maybe just leave seclevel out of the example, or show how to use
> it for e.g. authNoPriv.
Makes sense. Let's leave it out for simplicity.
> > +#user "user1" auth hmac-sha1 authkey "password123" enc aes enckey
> > "321drowssap"
> > +#user "user2" auth hmac-sha256 authkey "password456" enc aes enckey
> > "654drowssap"
> > +
> > +# Specify one or more trap receivers with optional parameters
> > +#trap receiver nms.localdomain.local community PAV9kpE02gDPvAi
> > source-address 192.0.2.1
>
> At this time (with future additions in mind) I think that oid would be
> more useful than source-address.
> One example I can think of that could be possible if I manage to get
> agentx back up and running and we add agentx support to vmd (I have a
> working PoC). Mischa could send traps to individual users for
> OpenBSD.amsterdam. Just a random example that's top of my mind, not
> claiming any realism.
I'll skip source-address in the trap receiver example then. When trap does
something more than it does now we could add oid in if it's going to be
useful to more than just niche users. (fwiw the traps that I'd find most
useful internal to snmpd are interface up/down; and with external hooks
traps for bgp peers dropping out would be pretty great).
> > # Adjust the local system information
> > #system contact "Charlie Root (r...@myhost.example.com)"
> > #system description "Powered by OpenBSD"
> > #system location "Rack A1-24, Room 13"
> > -system services 74
> >
> > -# Provide static user-defined SNMP OIDs
> > -oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Test"
> > -oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1
>
> I fully agree that these should go. This whole oid keyword is just
> clutch (limited data types, assuming an oid should be turned into a
> scalar by appending a zero)
> > -
> > -# Enable SNMPv3 USM with authentication, encryption and two defined users
> > -#seclevel enc
> > -#user "user1" authkey "password123" enc aes enckey "321drowssap"
> > -#user "user2" authkey "password456" enckey "654drowssap"
> > +# Required by some management software
> > +#system services 74
>
> Maybe you can explain how admins can change the value to something
> correct for their environment? :-)
> Or maybe we should add something like
> system services physical|datalink|internet|endtoend|applications
> to parse.y and let snmpd(8) create the correct integer.
>
> In general I do like the cleanup of this file. Thanks.
I think services was mostly actually used for people adding openbsd to
the hp management thingy when Reyk was making firewall service modules
for procurve zl switches. Maybe it could even be set by default.
In any event it's pretty irrelevant for people pointing mrtg/librenms/
cacti/icinga or whatever at snmpd which seem to be more likely.
> > retrieving revision 1.50
> > diff -u -p -r1.50 snmpd.conf.5
> > --- usr.sbin/snmpd/snmpd.conf.5 20 Jun 2021 19:59:42 -0000 1.50
> > +++ usr.sbin/snmpd/snmpd.conf.5 7 Aug 2021 21:45:44 -0000
> > @@ -207,6 +207,7 @@ system may provide.
> > Refer to the
> > .Ar sysServices
> > description in the SNMP MIB for details.
> > +The value is given in decimal.
>
> This should be a separate commit. OK for this one.
> Or, if you feel like I should implement my suggestion above let me know
> and I can cook something up.
TBH I think not really worth the hassle.
> > .\"XXX describe the complicated services alg here
> > .It Ic trap community Ar string
> > Specify the name of the trap community.
> > @@ -279,7 +280,7 @@ must be either
> > or
> > .Ic hmac-sha512 .
> > If omitted the default is
> > -.Ic hmac-sha256 .
> > +.Ic hmac-sha1 .
>
> On Sat, 2021-08-07 at 07:40 -0600, Theo de Raadt wrote:
> > Yes, probably hmac-md5
>
> > .Pp
> > With
> > .Ic enckey
> > @@ -345,17 +346,14 @@ oid 1.3.6.1.4.1.30155.42.2 name myStatus
> > .Pp
> > The next example will enforce SNMPv3 with authenticated and encrypted
> > communication and the user-based security model.
> > -The configuration defines two users,
> > -the first one is using the
> > -.Ic aes
> > -encryption algorithm and the second one the default
> > -.Ic des
> > -algorithm.
> > +The configuration defines several users using varying encryption and
> > +authentication algorithms.
> > .Bd -literal -offset indent
> > seclevel enc
> >
> > -user "hans" authkey "password123" enc aes enckey "321drowssap"
> > -user "sophie" authkey "password456" enc des enckey "654drowssap"
> > +user "mgmt" auth hmac-sha256 authkey "password123" enc aes enckey
> > "321drowssap"
> > +user "hans" auth hmac-sha authkey "password456" enc aes enckey
> > "654drowssap"
>
> hmac-sha1
Thanks.
> > +user "sophie" auth hmac-md5 authkey "password789" enc des enckey
> > "987drowssap"
> > .Ed
> > .Sh SEE ALSO
> > .Xr snmp 1 ,
> > Index: usr.sbin/snmpd/snmpd.h
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
> > retrieving revision 1.97
> > diff -u -p -r1.97 snmpd.h
> > --- usr.sbin/snmpd/snmpd.h 20 Jun 2021 19:59:42 -0000 1.97
> > +++ usr.sbin/snmpd/snmpd.h 7 Aug 2021 21:45:44 -0000
> > @@ -529,7 +529,7 @@ enum usmauth {
> > AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
> > };
> >
> > -#define AUTH_DEFAULT AUTH_SHA256 /* Default digest */
> > +#define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
> >
> > enum usmpriv {
> > PRIV_NONE = 0,
> > Index: usr.bin/snmp/snmp.1
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/snmp/snmp.1,v
> > retrieving revision 1.18
> > diff -u -p -r1.18 snmp.1
> > --- usr.bin/snmp/snmp.1 20 Jun 2021 20:02:14 -0000 1.18
> > +++ usr.bin/snmp/snmp.1 7 Aug 2021 21:45:44 -0000
> > @@ -197,7 +197,7 @@ Options are
> > or
> > .Cm SHA-512 .
> > This option defaults to
> > -.Cm SHA-256 .
> > +.Cm SHA .
> > This option is only used by
> > .Fl v Cm 3 .
> > .It Fl C Ar appopt
> > Index: usr.bin/snmp/snmpc.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/snmp/snmpc.c,v
> > retrieving revision 1.34
> > diff -u -p -r1.34 snmpc.c
> > --- usr.bin/snmp/snmpc.c 20 Jun 2021 20:02:14 -0000 1.34
> > +++ usr.bin/snmp/snmpc.c 7 Aug 2021 21:45:44 -0000
> > @@ -476,7 +476,7 @@ main(int argc, char *argv[])
> > err(1, "usm_init");
> > if (seclevel & SNMP_MSGFLAG_AUTH) {
> > if (md == NULL)
> > - md = EVP_sha256();
> > + md = EVP_sha1();
> > if (authkey == NULL)
> > errx(1, "No authKey or authPassword
> > specified");
> > if (usm_setauth(sec, md, authkey, authkeylen,
> >
>
> [0] https://marc.info/?l=openbsd-tech&m=162741422419165&w=2
>
I've committed with some improvements to examples/snmpd.conf, happy to
discuss any more changes on top.
