The snmp create user command put this line in my /var/lib/snmp/snmpd.conf createUser myuser MD5 "my_password" DES ""
I got in my logs: Feb 02 11:44:02 floyd snmpd[1401586]: Error: passphrase chosen is below the length requirements of the USM (min=8). Feb 02 11:44:02 floyd snmpd[1401586]: /var/lib/snmp/snmpd.conf: line 53: Error: could not generate the authentication key from the supplied pass phrase. Yep, empty string is less than 8 characters. Using the create user with an extra "-X my_password" makes it happy, you'll see the createUser line go and a usmUser line appear. Maybe the old tool just assumed if there was no -X it used the -A password for both? - Craig On Tue, 2 Feb 2021 at 02:22, Justin Cook <jc...@envistacom.com> wrote: > Hi net-snmp-coders, > > > > I’ve been working on updating the net-snmp version of software we use on > Centos 7 to net-snmp 5.9. This is being required because of a > vulnerability that is know in the NIST vulnerability database. We develop > our own MIB groups in C and compile them in to source code repos that we > pull for the site. Everything has worked great for -v2c. We are now trying > to get this implemented for -v3 and running into major issues. I believe > this is a configuration issues because running the following command on > “net-snmp-config --create-snmpv3-user -a MD5 -A myuser12345 myuser” from > this guide > <https://www.thegeekdiary.com/centos-rhel-6-install-and-configure-snmpv3/>. > This creates everything here. > > > > [root@localhost]# net-snmp-config --create-snmpv3-user -a MD5 -A > my_password myuser > > adding the following line to /var/net-snmp/snmpd.conf: > > createUser myuser MD5 "my_password" DES "" > > adding the following line to /snmp/snmpd.conf: > > rwuser myuser > > > > This appears to be where the issue happen. When I start our compiled > snmpd binary it seems to overwrite /var/net-snmp/snmpd.conf every time. > Therefore I can never create our initial snmpv3 users and every time I run > a snmpwalk I get. > > > > [evcLinuxAdmin@localhost ~]$ snmpwalk -v3 -u myuser -l authNoPriv -a MD5 > -A my_ password localhost > > snmpwalk: Unknown user name > > > > I’ve stepped back and stripped all our C mib-group code from the build to > keep it all repo only code. I did this to ensure it’s not us. Running into > the same issue there I dropped back to run on the yum installed net-snmp > version that is know to our yum repo created the user again following the > guide from above. > > > > [user@localhost ~]$ /usr/sbin/snmpd --version > > > > NET-SNMP version: 5.7.2 > > Web: http://www.net-snmp.org/ > > Email: net-snmp-coders@lists.sourceforge.net > > > > [root]# net-snmp-config --create-snmpv3-user -a MD5 -A my_password myuser > > adding the following line to /var/net-snmp/snmpd.conf: > > createUser myuser MD5 "my_password" DES "" > > adding the following line to /snmp/snmpd.conf: > > rwuser myuser > > > > Then I started the snmp service > > > > [---@localhost ~]$ service snmpd start > > Redirecting to /bin/systemctl start snmpd.service > > ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === > > Authentication is required to manage system services or units. > > Authenticating as: > > Password: > > ==== AUTHENTICATION COMPLETE === > > [---@localhost ~]$ > > > > > > Now that the system is running my snmpwalk command works for -v3 > > snmpwalk -v3 -u myuser -l authNoPriv -a MD5 -A my_password localhost > > > > I was also able to use the snmpusm command to create additional users. > When using this on the 5.9 repo all I get is user not found. > > > > Jumping back to the 5.9 binary build I know the following > > > > sudo snmpd -Dread_config -H 2>&1 | grep Read | sort -u > > [sudo] password for evcLinuxAdmin: > > read_config:file: Reading configuration /etc/snmp/snmpd.conf (0) > > read_config:file: Reading configuration /etc/snmp/snmpd.conf (1) -----à > This file has my rwuser myuser > > read_config:file: Reading configuration /var/lib/net-snmp/snmpd.conf (0) > > read_config:file: Reading configuration /var/lib/net-snmp/snmpd.conf (1) > –> I manually added the create user info to this file for myuser and it > doesn’t seem to be picking it up. > > > > [evcLinuxAdmin@localhost ~]$ snmpd -Dread_config -H 2>&1 | grep > config:path | sort -u > > read_config:path: config path used for > agentx:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp > (persistent path:/var/net-snmp) > > read_config:path: config path used for agentx:/var/net-snmp (persistent > path:/var/net-snmp) à This is where everything was originally created > but deleted when snmpd starts. > > read_config:path: config path used for > snmpd:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp > (persistent path:/var/net-snmp) > > read_config:path: config path used for snmpd:/var/net-snmp (persistent > path:/var/net-snmp) > > read_config:path: config path used for > snmp:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp > (persistent path:/var/net-snmp) > > read_config:path: config path used for snmp:/var/net-snmp (persistent > path:/var/net-snmp) > > > > At this point I think it’s a configuration parameter but I don’t see > anything that would effect or cause this behavior. I didn’t see anything > in the change log to suggest 5.9 was changed from 5.7. Any help you can > provide would be helpful as this is needed to meet a customer deliverable. > Perhaps there is a clear document out there because I have been all over > the net-snmp provided documents and nothing was found to solve my problem. > > > > Thanks > > Justin > > > > > > --- CONFIDENTIALITY NOTICE: This email and any attachments are for the > exclusive and confidential use of the intended recipient. If you are not > the intended recipient, please do not read, distribute or take action in > reliance upon this message. If you have received this in error, please > notify us immediately by return email and promptly delete this message and > its attachments from your computer system. > _______________________________________________ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >
_______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders