As of now when adding new credentials for any SNMPv3 user we submit the credential either plaintext or encrypted.
A plaintext credential will be hashed by SNMPd in the background and then passed back into the CLI so it's not stored in cleartext. This feels like the wrong way in changing the CLI content with data produced by a 3rd party daemon which implements the service. It feels like the tail wiggles the entire dog.
This should be changed in the following way:
- After retrieving the plaintext password from CLI, use python crypt() (or any other valid method) to hash the key in advance
- Re-populate the encrypted key into the CLI and drop the plaintext one
- Generate service configuration and continue startup of SNMPd.
There is still a race in SNMPd at some place where - because of this logic - the service sometimes does not start after a reboot - even worse - It could end up in a COnfiguration Error.