Craig Small <csm...@dropbear.xyz> writes:
> Is there a way to encrypt passwords in the snmpd.conf file? Currently,
> when we open
> snmpd.conf file we can look at passwords in plaintext format, is there a
> way to
> store those passwords in encrypted form. Does net-snmp support any
> encryption/
> decryption of passwords while reading from snmpd.conf?
>
> The snmpusm manpage describes a way of making SNMP v3 users.
> The passwords are, I believe, stored as MD5 HMAC and not cleartext.
Good answer and thanks for noting this.
Even more importantly: they're not only stored as a MAC, but also stored
in a way that is isolated to just that machine and localized with an
engineid.
Specifically, the snmpd.conf manual page about the createUser line says:
This directive should be placed into the /var/net-snmp/sn‐
mpd.conf file instead of the other normal locations. The reason
is that the information is read from the file and then the line
is removed (eliminating the storage of the master password for
that user) and replaced with the key that is derived from it.
This key is a localized key, so that if it is stolen it can not
be used to access other agents. If the password is stolen, how‐
ever, it can be.
Thus the createUser line should *never* be put in a global config file
that is not where the agent stores it's data in the first place. The
manual page also talks about how to use the net-snmp-config tool to help
with this:
Instead of figuring out how to use this directive and where to
put it (see below), just run "net-snmp-config --create-sn‐
mpv3-user" instead, which will add one of these lines to the
right place.
--
Wes Hardaker
Please mail all replies to net-snmp-coders@lists.sourceforge.net
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
