Hi Robert,
I checked Wes's theory and 'YES' it is defaulting to 'auth' when no explicit
mandate for encryption is done.
In vacm_create_simple() function, below code defaults to 'auth' when 'priv'
token is not explicitly mentioned.
if (cp && *cp)
cp = copy_nword(cp, authlevel, sizeof(authlevel));
else
strcpy(authlevel, "auth");
Regards,
Madhu
-----Original Message-----
From: NetSNMP Mailbox <[email protected]> On Behalf Of Robert Story
Sent: Saturday, January 19, 2019 4:53 AM
To: Madhusudhana R <[email protected]>
Cc: [email protected]
Subject: Re: Netsnmpv5.8 possible security flaw
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
Hi Madhusudhana,
Did you go back and confirm Wes' theory? Did you see an authPriv request which
failed, followed by and auth request that succeeded?
Robert
On Wed, 9 Jan 2019 04:19:28 +0000 Madhusudhana wrote:
MR> Thanks Wes.
MR>
MR> -----Original Message-----
MR> From: Wes Hardaker [mailto:[email protected]]
MR> Sent: Tuesday, January 08, 2019 10:08 PM
MR>
MR> Madhusudhana R <[email protected]> writes:
MR>
MR> > Can you please let me know whether this feature is added newly in
MR> > v5.8 or it was an existing feature in v5.7.3 ?
MR> > If it is a new feature in v5.8, is there a way to toggle some
MR> > MACRO value to make sure an user with authpriv protocol will
MR> > always responds in encrypted way?
MR>
MR> It's not new at all; that behavior has been around since the
MR> creation of the SNMPv3 code within Net-SNMP (which at the time was
MR> called UCD-SNMP, showing how old this concept is). At the time,
MR> encryption wasn't even possible for everyone deploying the code (and
MR> the only encryption supported was DES). The world tended to also
MR> believe that authentication (ensuring packets weren't modified) was
MR> a "must have" but encryption was merely a "would be nice if you
MR> could, but it's not critical".
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
