On Wed, 2021-08-11 at 18:59 +0100, Stuart Henderson wrote: > On 2021/08/11 19:34, Martijn van Duren wrote: > > On Wed, 2021-08-11 at 18:03 +0100, Stuart Henderson wrote: > > > On 2021/08/11 16:35, Martijn van Duren wrote: > > > > Following snmpd, remove the public default community and move to snmpv3 > > > > by default. This is also what net-snmp does. I originally chose this > > > > default because that's what snmpctl did and it allowed for easier > > > > interoperability with snmpd(8). > > > > > > v3 by default makes sense to me. > > > > > > I'm not sure how much it buys to remove the default community in snmp(1), > > > though, there doesn't seem a lot of benefit to removing it? > > > > My reasoning being that setting having public the default in snmp(1) > > might encourage users to set public in snmpd(8) as well, which is what > > we tried to discourage. > > Hmm maybe. I won't object to that. > > > And it's easy enough to do something like > > alias snmp_get="snmp get -v2c -ccommunity" > > in .profile for interactive use > > and walk, bulkwalk, df, [...] > > FWIW I have this for now. > > ----- > #!/bin/ksh > if [[ -z $2 ]]; then > /usr/bin/snmp 2>&1 | sed "s/snmp/`basename $0`/" >&2 > exit 1 > fi > cmd=$1 > shift > exec /usr/bin/snmp $cmd -v 3 -l authPriv -u xxx [etc] $* > ----- > > > and in scripts you always want to be > > explicit with such parameters. > > Maybe. I do quite like keeping the secrets out of ps/top though. > > While I'm thinking about it, thoughts on this?
No objection from me. OK martijn@ > > Index: snmpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v > retrieving revision 1.56 > diff -u -p -r1.56 snmpd.conf.5 > --- snmpd.conf.5 10 Aug 2021 07:53:57 -0000 1.56 > +++ snmpd.conf.5 11 Aug 2021 17:57:53 -0000 > @@ -402,12 +402,13 @@ Example configuration file. > .Sh EXAMPLES > The following example will tell > .Xr snmpd 8 > -to listen on localhost for SNMPv2c messages only with the public community, > -override the default system OID, set the magic services value and provides > some > -custom OID values: > +to listen on localhost for SNMPv2c messages only with the community > +.Dq 8LHQtm1QLGzk , > +override the default system OID, set the magic services value, > +and provide some custom OID values: > .Bd -literal -offset indent > listen on 127.0.0.1 snmpv2c > -read-only community public > +read-only community 8LHQtm1QLGzk > > system oid 1.3.6.1.4.1.30155.23.2 > system services 74 >
