Index: current.html
===================================================================
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.1071
diff -u -p -r1.1071 current.html
--- current.html 26 May 2021 12:12:58 -0000 1.1071
+++ current.html 20 Jun 2021 11:58:05 -0000
@@ -65,6 +65,36 @@ to update /etc/raddb/mods-available/eap
lines.
+<h3 id="r20210620">2021/06/20 - snmpd authentication changes</h3>
+
+Default authentication settings in <a
+href="https://man.openbsd.org/snmpd";>snmpd(8)</a> have been tightened.
+You may need to adjust
+<a href="https://man.openbsd.org/snmpd.conf.5";>snmpd.conf(5)</a> and/or
+configuration of your SNMP management stations.
+Preferably use SNMPv3 with AES/SHA-256 or better.<p>
+
+For SNMPv1/v2c, previously it responded to requests for communities named
+"public" or "private" unless alternative communities were set; this has
+changed so that there are no default communities.
+If you would like it to continue to respond to the community named "public"
+then set <code>read-only community public</code> (do not use this if the
+service is accessible from the internet; UDP SNMP with insecure
+authentication is a potent packet amplifier). <code>read-write
+disabled</code> has been removed as this is now the default.<p>
+
+For SNMPv3, previously it responded to SNMPv3 "noAuthNoPriv" requests
+(without authentication) unless "seclevel" was used.
+This has changed to requiring authentication and encryption by
+default.
+If you would like it to continue to respond without authentication,
+set <code>seclevel none</code>.
+If you would like it to respond with authentication but without
+requiring encryption, set <code>seclevel auth</code>.
+The default authentication has changed to <code>hmac-sha256</code>
+and the default encryption to <code>AES</code>.
+
+
<!--
Two blank lines before new sections.
New sentences start on new lines.
