Re: snmp(1): Fix unsafe defaults

Wed, 11 Aug 2021 11:01:03 -0700 

On 2021/08/11 19:34, Martijn van Duren wrote:
> On Wed, 2021-08-11 at 18:03 +0100, Stuart Henderson wrote:
> > On 2021/08/11 16:35, Martijn van Duren wrote:
> > > Following snmpd, remove the public default community and move to snmpv3
> > > by default. This is also what net-snmp does. I originally chose this
> > > default because that's what snmpctl did and it allowed for easier
> > > interoperability with snmpd(8).
> > 
> > v3 by default makes sense to me.
> > 
> > I'm not sure how much it buys to remove the default community in snmp(1),
> > though, there doesn't seem a lot of benefit to removing it?
> 
> My reasoning being that setting having public the default in snmp(1)
> might encourage users to set public in snmpd(8) as well, which is what
> we tried to discourage.

Hmm maybe. I won't object to that.

> And it's easy enough to do something like
> alias snmp_get="snmp get -v2c -ccommunity"
> in .profile for interactive use

and walk, bulkwalk, df, [...]

FWIW I have this for now.

-----
#!/bin/ksh
if [[ -z $2 ]]; then
        /usr/bin/snmp 2>&1 | sed "s/snmp/`basename $0`/" >&2
        exit 1
fi
cmd=$1
shift
exec /usr/bin/snmp $cmd -v 3 -l authPriv -u xxx [etc] $*
-----

> and in scripts you always want to be
> explicit with such parameters.

Maybe. I do quite like keeping the secrets out of ps/top though.

While I'm thinking about it, thoughts on this?

Index: snmpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
retrieving revision 1.56
diff -u -p -r1.56 snmpd.conf.5
--- snmpd.conf.5        10 Aug 2021 07:53:57 -0000      1.56
+++ snmpd.conf.5        11 Aug 2021 17:57:53 -0000
@@ -402,12 +402,13 @@ Example configuration file.
 .Sh EXAMPLES
 The following example will tell
 .Xr snmpd 8
-to listen on localhost for SNMPv2c messages only with the public community,
-override the default system OID, set the magic services value and provides some
-custom OID values:
+to listen on localhost for SNMPv2c messages only with the community
+.Dq 8LHQtm1QLGzk ,
+override the default system OID, set the magic services value,
+and provide some custom OID values:
 .Bd -literal -offset indent
 listen on 127.0.0.1 snmpv2c
-read-only community public
+read-only community 8LHQtm1QLGzk
 
 system oid 1.3.6.1.4.1.30155.23.2
 system services 74

Reply via email to