At the moment we are neither consistent nor really secure in what we
offer by default for snmp. For snmp(1) we default to MD-5 and DES and
for snmpd(8) we default to SHA-1 and DES. Both are horrendously out of
date.
Diff below updates both tools to use SHA-256 and AES by default.
SHA-256 should still be reasonably secure by todays standards and less
straining on older architectures, but I'm not objecting if people prefer
to move to SHA-384 or HSA-512 by default.
Note that perl snmp client doesn't support the SHA-2 family of
functions, so people using check_snmp_* with icinga or the likes will
have to explicitly set auth to sha-1 if they want this to continue
working. I once looked at the snmp code behind these tools and realised
that I can't do perl.
If someone out there with perl skills, who knows the perl community
(because we want to upstream this) and wants to pick this up but doesn't
know snmp I'm willing to help out in the specs department.
Thoughts? OK?
martijn@
Index: usr.bin/snmp/snmp.1
===================================================================
RCS file: /cvs/src/usr.bin/snmp/snmp.1,v
retrieving revision 1.8
diff -u -p -r1.8 snmp.1
--- usr.bin/snmp/snmp.1 26 Oct 2019 17:43:52 -0000 1.8
+++ usr.bin/snmp/snmp.1 28 Oct 2019 06:58:09 -0000
@@ -178,7 +178,7 @@ Options are
or
.Cm SHA-512 .
This option defaults to
-.Cm MD5 .
+.Cm SHA-256 .
This option is only used by
.Fl v Cm 3 .
.It Fl C Ar appopt
@@ -401,6 +401,8 @@ protocol.
Options are
.Cm DES
and
+.Cm AES .
+This option defaults to
.Cm AES .
This option is only used by
.Fl v Cm 3 .
Index: usr.bin/snmp/snmpc.c
===================================================================
RCS file: /cvs/src/usr.bin/snmp/snmpc.c,v
retrieving revision 1.17
diff -u -p -r1.17 snmpc.c
--- usr.bin/snmp/snmpc.c 26 Oct 2019 19:34:15 -0000 1.17
+++ usr.bin/snmp/snmpc.c 28 Oct 2019 06:58:09 -0000
@@ -433,7 +433,7 @@ main(int argc, char *argv[])
err(1, "usm_init");
if (seclevel & SNMP_MSGFLAG_AUTH) {
if (md == NULL)
- md = EVP_md5();
+ md = EVP_sha256();
if (authkey == NULL)
errx(1, "No authKey or authPassword specified");
if (usm_setauth(sec, md, authkey, authkeylen,
@@ -442,7 +442,7 @@ main(int argc, char *argv[])
}
if (seclevel & SNMP_MSGFLAG_PRIV) {
if (cipher == NULL)
- cipher = EVP_des_cbc();
+ cipher = EVP_aes_128_cfb128();
if (privkey == NULL)
errx(1, "No privKey or privPassword specified");
if (usm_setpriv(sec, cipher, privkey, privkeylen,
Index: usr.sbin/snmpd/snmpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
retrieving revision 1.40
diff -u -p -r1.40 snmpd.conf.5
--- usr.sbin/snmpd/snmpd.conf.5 9 Aug 2019 08:12:04 -0000 1.40
+++ usr.sbin/snmpd/snmpd.conf.5 28 Oct 2019 06:58:09 -0000
@@ -249,7 +249,7 @@ must be either
or
.Ic hmac-sha512 .
If omitted the default is
-.Ic hmac-sha1 .
+.Ic hmac-sha256 .
.Pp
With
.Ic enckey
@@ -265,7 +265,7 @@ algorithm can be either
or
.Ic aes
and defaults to
-.Ic des .
+.Ic aes .
.Pp
Any user account that has encryption enabled requires authentication to
be enabled too.
Index: usr.sbin/snmpd/snmpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
retrieving revision 1.85
diff -u -p -r1.85 snmpd.h
--- usr.sbin/snmpd/snmpd.h 11 Jun 2019 05:36:32 -0000 1.85
+++ usr.sbin/snmpd/snmpd.h 28 Oct 2019 06:58:09 -0000
@@ -541,7 +541,7 @@ enum usmauth {
AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
};
-#define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
+#define AUTH_DEFAULT AUTH_SHA256 /* Default digest */
enum usmpriv {
PRIV_NONE = 0,
@@ -549,7 +549,7 @@ enum usmpriv {
PRIV_AES /* CFB128-AES-128, RFC3826 */
};
-#define PRIV_DEFAULT PRIV_DES /* Default cipher */
+#define PRIV_DEFAULT PRIV_AES /* Default cipher */
struct usmuser {
char *uu_name;
