On Tue, Jul 27, 2021 at 08:43:20PM +0200, Martijn van Duren wrote: > Previous diff failed to set the initial bit when not defining engineid > in the config. > > On Fri, 2021-07-23 at 15:41 +0200, Martijn van Duren wrote: > > This diff introduces setting the engineid for snmpd(8). > > Although this diff might seem quite excessive at first glance, there's > > a valid reason to do so. > > > > The following things are in effect when sending an SNMPv3 trap: > > - SNMP trap packets are unacknowledged; meaning that we don't get a > > response -, nor report message. > > - SNMPv3 packets with a trap contain the engineid of the sender. > > - The key used in auth and priv are derived from the password and the > > engineid. > > - users are linked to an engineid > > > > So if we're sending messages in SNMPv3 format we can't generate a random > > engineid on each boot as we do now, or the trap receiver can't find the > > correct user. Since I want to keep the default config as empty as > > possible I've choosen to use the first 27 bytes (maximum length that > > fits in the engineid) of the sha256 hash of the hostname(3). This should > > give us the biggest confidence in having a consistent name that won't > > clash with other agents. If someone has a better idea though, please > > speak up now.
This seems reasonable to me. Another option would be to generate a random ID once and store it on disk, like the SOII key. Seems like an awkward thing to do when there's also a config file that the information could be in, though, so I don't think this is really a good option. > > > > As for allowing to set the engineid: When receiving a trap admins will > > need to be able to specify the engineid of the remote agent, or there > > will be problems with the key generation of that user. > > Given this requirement it's a small step to allow the same yacc rules > > to be used for setting the global engineid and gives a little more > > control to the admin. The global engineid just happens to be more > > convenient to implement first. > > > > OK? If no one has any better ideas for generating a default engine ID, ok jmatthew@
