On 2019/10/28 08:02, Martijn van Duren wrote:
> At the moment we are neither consistent nor really secure in what we
> offer by default for snmp. For snmp(1) we default to MD-5 and DES and
> for snmpd(8) we default to SHA-1 and DES. Both are horrendously out of
> date.
>
> Diff below updates both tools to use SHA-256 and AES by default.
> SHA-256 should still be reasonably secure by todays standards and less
> straining on older architectures, but I'm not objecting if people prefer
> to move to SHA-384 or HSA-512 by default.
>
> Note that perl snmp client doesn't support the SHA-2 family of
> functions, so people using check_snmp_* with icinga or the likes will
> have to explicitly set auth to sha-1 if they want this to continue
> working. I once looked at the snmp code behind these tools and realised
> that I can't do perl.
> If someone out there with perl skills, who knows the perl community
> (because we want to upstream this) and wants to pick this up but doesn't
> know snmp I'm willing to help out in the specs department.
>
> Thoughts? OK?
>
> martijn@
If this does go in, please make sure it's well described in current.html with
example config lines - AES is fairly widely supported for SNMP but SHA-256 isn't
so I think many users would need to change that. (I suspect the most common
setup at present is likely to be aes+sha1).
I definitely agree with snmp(1) getting the same defaults as snmpd(8).
> Index: usr.bin/snmp/snmp.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/snmp/snmp.1,v
> retrieving revision 1.8
> diff -u -p -r1.8 snmp.1
> --- usr.bin/snmp/snmp.1 26 Oct 2019 17:43:52 -0000 1.8
> +++ usr.bin/snmp/snmp.1 28 Oct 2019 06:58:09 -0000
> @@ -178,7 +178,7 @@ Options are
> or
> .Cm SHA-512 .
> This option defaults to
> -.Cm MD5 .
> +.Cm SHA-256 .
> This option is only used by
> .Fl v Cm 3 .
> .It Fl C Ar appopt
> @@ -401,6 +401,8 @@ protocol.
> Options are
> .Cm DES
> and
> +.Cm AES .
> +This option defaults to
> .Cm AES .
> This option is only used by
> .Fl v Cm 3 .
> Index: usr.bin/snmp/snmpc.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/snmp/snmpc.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 snmpc.c
> --- usr.bin/snmp/snmpc.c 26 Oct 2019 19:34:15 -0000 1.17
> +++ usr.bin/snmp/snmpc.c 28 Oct 2019 06:58:09 -0000
> @@ -433,7 +433,7 @@ main(int argc, char *argv[])
> err(1, "usm_init");
> if (seclevel & SNMP_MSGFLAG_AUTH) {
> if (md == NULL)
> - md = EVP_md5();
> + md = EVP_sha256();
> if (authkey == NULL)
> errx(1, "No authKey or authPassword specified");
> if (usm_setauth(sec, md, authkey, authkeylen,
> @@ -442,7 +442,7 @@ main(int argc, char *argv[])
> }
> if (seclevel & SNMP_MSGFLAG_PRIV) {
> if (cipher == NULL)
> - cipher = EVP_des_cbc();
> + cipher = EVP_aes_128_cfb128();
> if (privkey == NULL)
> errx(1, "No privKey or privPassword specified");
> if (usm_setpriv(sec, cipher, privkey, privkeylen,
> Index: usr.sbin/snmpd/snmpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
> retrieving revision 1.40
> diff -u -p -r1.40 snmpd.conf.5
> --- usr.sbin/snmpd/snmpd.conf.5 9 Aug 2019 08:12:04 -0000 1.40
> +++ usr.sbin/snmpd/snmpd.conf.5 28 Oct 2019 06:58:09 -0000
> @@ -249,7 +249,7 @@ must be either
> or
> .Ic hmac-sha512 .
> If omitted the default is
> -.Ic hmac-sha1 .
> +.Ic hmac-sha256 .
> .Pp
> With
> .Ic enckey
> @@ -265,7 +265,7 @@ algorithm can be either
> or
> .Ic aes
> and defaults to
> -.Ic des .
> +.Ic aes .
> .Pp
> Any user account that has encryption enabled requires authentication to
> be enabled too.
> Index: usr.sbin/snmpd/snmpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
> retrieving revision 1.85
> diff -u -p -r1.85 snmpd.h
> --- usr.sbin/snmpd/snmpd.h 11 Jun 2019 05:36:32 -0000 1.85
> +++ usr.sbin/snmpd/snmpd.h 28 Oct 2019 06:58:09 -0000
> @@ -541,7 +541,7 @@ enum usmauth {
> AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
> };
>
> -#define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
> +#define AUTH_DEFAULT AUTH_SHA256 /* Default digest */
>
> enum usmpriv {
> PRIV_NONE = 0,
> @@ -549,7 +549,7 @@ enum usmpriv {
> PRIV_AES /* CFB128-AES-128, RFC3826 */
> };
>
> -#define PRIV_DEFAULT PRIV_DES /* Default cipher */
> +#define PRIV_DEFAULT PRIV_AES /* Default cipher */
>
> struct usmuser {
> char *uu_name;
>
