The snmp create user command put this line in my /var/lib/snmp/snmpd.conf
createUser myuser MD5 "my_password" DES ""

I got in my logs:
Feb 02 11:44:02 floyd snmpd[1401586]: Error: passphrase chosen is below the
length requirements of the USM (min=8).
Feb 02 11:44:02 floyd snmpd[1401586]: /var/lib/snmp/snmpd.conf: line 53:
Error: could not generate the authentication key from the supplied pass
phrase.

Yep, empty string is less than 8 characters.

Using the create user with an extra "-X my_password" makes it happy, you'll
see the createUser line go and a usmUser line appear.

Maybe the old tool just assumed if there was no -X it used the -A password
for both?

 - Craig

On Tue, 2 Feb 2021 at 02:22, Justin Cook <jc...@envistacom.com> wrote:

> Hi net-snmp-coders,
>
>
>
> I’ve been working on updating the net-snmp version of software we use on
> Centos 7 to net-snmp 5.9.  This is being required because of a
> vulnerability that is know in the NIST vulnerability database. We develop
> our own MIB groups in C and compile them in to source code repos that we
> pull for the site.  Everything has worked great for -v2c. We are now trying
> to get this implemented for -v3 and running into major issues.  I believe
> this is a configuration issues because running the following command on
> “net-snmp-config --create-snmpv3-user -a MD5 -A myuser12345 myuser”  from
> this guide
> <https://www.thegeekdiary.com/centos-rhel-6-install-and-configure-snmpv3/>.
> This creates everything here.
>
>
>
> [root@localhost]# net-snmp-config --create-snmpv3-user -a MD5 -A
> my_password myuser
>
> adding the following line to /var/net-snmp/snmpd.conf:
>
>    createUser myuser MD5 "my_password" DES ""
>
> adding the following line to /snmp/snmpd.conf:
>
>    rwuser myuser
>
>
>
> This appears to be where the issue happen.  When I start our compiled
> snmpd binary it seems to overwrite /var/net-snmp/snmpd.conf every time.
> Therefore I can never create our initial snmpv3 users and every time I run
> a snmpwalk I get.
>
>
>
> [evcLinuxAdmin@localhost ~]$ snmpwalk -v3 -u myuser -l authNoPriv -a MD5
> -A my_ password localhost
>
> snmpwalk: Unknown user name
>
>
>
> I’ve stepped back and stripped all our C mib-group code from the build to
> keep it all repo only code. I did this to ensure it’s not us.  Running into
> the same issue there I dropped back to run on the yum installed net-snmp
> version that is know to our yum repo created the user again following the
> guide from above.
>
>
>
> [user@localhost ~]$ /usr/sbin/snmpd --version
>
>
>
> NET-SNMP version:  5.7.2
>
> Web:               http://www.net-snmp.org/
>
> Email:             net-snmp-coders@lists.sourceforge.net
>
>
>
> [root]# net-snmp-config --create-snmpv3-user -a MD5 -A my_password myuser
>
> adding the following line to /var/net-snmp/snmpd.conf:
>
>    createUser myuser MD5 "my_password" DES ""
>
> adding the following line to /snmp/snmpd.conf:
>
>    rwuser myuser
>
>
>
> Then I started the snmp service
>
>
>
> [---@localhost ~]$ service snmpd start
>
> Redirecting to /bin/systemctl start snmpd.service
>
> ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
>
> Authentication is required to manage system services or units.
>
> Authenticating as:
>
> Password:
>
> ==== AUTHENTICATION COMPLETE ===
>
> [---@localhost ~]$
>
>
>
>
>
> Now that the system is running my snmpwalk command works for -v3
>
>         snmpwalk -v3 -u myuser -l authNoPriv -a MD5 -A my_password localhost
>
>
>
> I was also able to use the snmpusm command to create additional users.
> When using this on the 5.9 repo all I get is user not found.
>
>
>
> Jumping back to the 5.9 binary build I know the following
>
>
>
> sudo snmpd -Dread_config -H 2>&1 | grep Read | sort -u
>
> [sudo] password for evcLinuxAdmin:
>
> read_config:file: Reading configuration /etc/snmp/snmpd.conf (0)
>
> read_config:file: Reading configuration /etc/snmp/snmpd.conf (1)   -----à
> This file has my rwuser myuser
>
> read_config:file: Reading configuration /var/lib/net-snmp/snmpd.conf (0)
>
> read_config:file: Reading configuration /var/lib/net-snmp/snmpd.conf (1)
> –> I manually added the create user info to this file for myuser and it
> doesn’t seem to be picking it up.
>
>
>
> [evcLinuxAdmin@localhost ~]$ snmpd -Dread_config -H 2>&1 | grep
> config:path | sort -u
>
> read_config:path:  config path used for
> agentx:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp
> (persistent path:/var/net-snmp)
>
> read_config:path:  config path used for agentx:/var/net-snmp (persistent
> path:/var/net-snmp)  à This is where everything was originally created
> but deleted when snmpd starts.
>
> read_config:path:  config path used for
> snmpd:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp
> (persistent path:/var/net-snmp)
>
> read_config:path:  config path used for snmpd:/var/net-snmp (persistent
> path:/var/net-snmp)
>
> read_config:path:  config path used for
> snmp:/usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/home/evcLinuxAdmin/.snmp
> (persistent path:/var/net-snmp)
>
> read_config:path:  config path used for snmp:/var/net-snmp (persistent
> path:/var/net-snmp)
>
>
>
> At this point I think it’s a configuration parameter but I don’t see
> anything that would effect or cause this behavior.  I didn’t see anything
> in the change log to suggest 5.9 was changed from 5.7.  Any help you can
> provide would be helpful as this is needed to meet a customer deliverable.
> Perhaps there is a clear document out there because I have been all over
> the net-snmp provided documents and nothing was found to solve my problem.
>
>
>
> Thanks
>
> Justin
>
>
>
>
>
> --- CONFIDENTIALITY NOTICE: This email and any attachments are for the
> exclusive and confidential use of the intended recipient. If you are not
> the intended recipient, please do not read, distribute or take action in
> reliance upon this message. If you have received this in error, please
> notify us immediately by return email and promptly delete this message and
> its attachments from your computer system.
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to