Page MenuHomeVyOS Platform
Create Task
Maniphest T4093

SNMPv3 snmpd.conf generation bug
Closed, ResolvedPublicBUG
Actions

Description

afics@xxxxx# show service snmp
 contact test
 listen-address 1.2.3.4 {
 }
 location test
 v3 {
     user test {
         auth {
             encrypted-password f9f805f30bd91869dbadf2833e9cf155c9abf122
             type sha
         }
         privacy {
             encrypted-password 7f53351b5a709946bb750b881fe08bea796510c8
             type aes
         }
     }
 }

Results in non-functional SNMP and the following in the logs:

Dec 22 13:56:xxxxx systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Dec 22 13:56:xxxxx systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..
Dec 22 13:56:xxxxx snmpd[998999]: MIB search path: /usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/s>
Dec 22 13:56:xxxxx snmpd[998999]: Cannot find module (IANAifType-MIB): At line 13 in /usr/share/snmp/mib>
Dec 22 13:56:xxxxx snmpd[998999]: Did not find 'IANAifType' in module #-1 (/usr/share/snmp/mibs/IF-MIB.t>
Dec 22 13:56:xxxxx snmpd[998999]: Cannot find module (IANA-RTPROTO-MIB): At line 12 in /usr/share/snmp/m>
Dec 22 13:56:xxxxx snmpd[998999]: Did not find 'IANAipRouteProtocol' in module #-1 (/usr/share/snmp/mibs>
Dec 22 13:56:xxxxx snmpd[998999]: /etc/snmp/snmpd.conf: line 60: Error: missing SECURITY parameter
Dec 22 13:56:xxxxx snmpd[998999]: net-snmp: 1 error(s) in config file(s)

Details

Difficulty level
Easy (less than an hour)
Version
1.3.0 and 1.4-rolling-202112211328
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Stricter validation
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.2.9
1.3.3
1.3.1

Event Timeline

Unknown Object (User) created this task.Dec 22 2021, 1:59 PM

end of /etc/snmp/snmpd.conf

# group
group  usm test
Viacheslav added projects: VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0).Dec 22 2021, 2:04 PM
pasik added a subscriber: pasik.Dec 22 2021, 3:28 PM
Viacheslav added a subscriber: Viacheslav.Dec 22 2021, 3:29 PM

A similar bug I see in 1.2 with such configuration:

set service snmp contact 'test'
set service snmp listen-address 192.168.122.12
set service snmp location 'test'
set service snmp v3 user foo auth encrypted-key '0x2e312e332e362e312e362e332e31302e312e322e34'
set service snmp v3 user foo auth type 'sha'
set service snmp v3 user foo privacy encrypted-key '0x'
set service snmp v3 user foo privacy type 'aes'
Dec 22 15:23:33 r12-lts snmpd[4197]: /etc/snmp/snmpd.conf: line 62: Error: bad security model, should be: v1, v2c or usm or a registered security plugin name
Dec 22 15:23:33 r12-lts snmpd[4197]: net-snmp: 1 error(s) in config file(s)

62 string:

group  usm foo
c-po claimed this task.Dec 27 2021, 6:22 PM
c-po edited projects, added VyOS 1.3 Equuleus ( 1.3.1), VyOS 1.2 Crux (VyOS 1.2.9); removed VyOS 1.3 Equuleus (1.3.0).
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.9) board.
c-po added a comment.Dec 27 2021, 6:24 PM

Issue was a missing verify() step which requires every SNMPv3 user to have a group assigned.

c-po closed this task as Resolved.Dec 27 2021, 6:24 PM
c-po triaged this task as Normal priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.
dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM
dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM
dmbaturin mentioned this in 1.2.9.Feb 23 2023, 5:20 PM