Page MenuHomeVyOS Platform
Create Task
Maniphest T2687

SNMP: change logic on v3 password encryption
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

As of now when adding new credentials for any SNMPv3 user we submit the credential either plaintext or encrypted.

A plaintext credential will be hashed by SNMPd in the background and then passed back into the CLI so it's not stored in cleartext. This feels like the wrong way in changing the CLI content with data produced by a 3rd party daemon which implements the service. It feels like the tail wiggles the entire dog.

This should be changed in the following way:

  • After retrieving the plaintext password from CLI, use python crypt() (or any other valid method) to hash the key in advance
  • Re-populate the encrypted key into the CLI and drop the plaintext one
  • Generate service configuration and continue startup of SNMPd.

There is still a race in SNMPd at some place where - because of this logic - the service sometimes does not start after a reboot - even worse - It could end up in a COnfiguration Error.

Details

Difficulty level
Hard (possibly days)
Version
1.3-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

c-po created this task.Jul 5 2020, 2:22 PM
c-po added a comment.EditedJul 5 2020, 6:17 PM

Just digging around I found this:

(18:16) vyos_bld 9effe3477416:/vyos # snmpv3-hashgen --user test --auth test1234 --priv test1234 --engine 80001f88804836433ae817025f00000000
User: test
Auth: test1234 / 01e869d149d422b20b8e42886e056e275876d3df
Priv: test1234 / 01e869d149d422b20b8e42886e056e275876d3df
Engine: 80001f88804836433ae817025f00000000

https://pypi.org/project/SNMPv3-Hash-Generator/

The produced hashed match the ones I have setup on my router when using the supplied engineid of 80001f88804836433ae817025f00000000

Question remains how engineID is calculated hence explicitly defined via oldEngineID

jack9603301 added a subscriber: jack9603301.Jul 5 2020, 6:29 PM
pasik added a subscriber: pasik.Jul 6 2020, 12:20 PM
c-po added a comment.EditedJul 7 2020, 5:50 PM

Using the mentioned defaults in https://tools.ietf.org/html/rfc3414#appendix-A.3.2

We can get:

snmpv3-hashgen --user test --auth maplesyrup --priv maplesyrup --engine 000000000000000000000002
User: test
Auth: maplesyrup / 6695febc9288e36282235fc7151f128497b38f3f
Priv: maplesyrup / 6695febc9288e36282235fc7151f128497b38f3f
Engine: 000000000000000000000002
ESXi USM String: test/6695febc9288e36282235fc7151f128497b38f3f/6695febc9288e36282235fc7151f128497b38f3f/priv

and in VyOS 1.2.5

set service snmp v3 engineid '0x000000000000000000000002'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default view 'default'
set service snmp v3 user test auth plaintext-key maplesyrup
set service snmp v3 user test auth type 'sha'
set service snmp v3 user test priv plaintext-key maplesyrup
set service snmp v3 view default oid 1

Will generate

$ sudo cat /var/lib/snmp/snmpd.conf
#
# net-snmp (or ucd-snmp) persistent data file.
#
############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
#
#          **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
############################################################################
#
# DO NOT STORE CONFIGURATION ENTRIES HERE.
# Please save normal configuration tokens for snmpd in SNMPCONFPATH/snmpd.conf.
# Only "createUser" tokens should be placed here by snmpd administrators.
# (Did I mention: do not edit this file?)
#
usmUser 1 3 "000000000000000000000002" "test" "test" NULL .1.3.6.1.6.3.10.1.1.2 0x40cbeaa22288314887403c144b277eed .1.3.6.1.6.3.10.1.2.4 0x40cbeaa22288314887403c144b277eed ""
usmUser 1 3 "000000000000000000000002" "vyosd21d44614c6d205f" "vyosd21d44614c6d205f" NULL .1.3.6.1.6.3.10.1.1.2 0x791eb7ad149f28fc3053ed4138aa2724 .1.3.6.1.6.3.10.1.2.2 0x791eb7ad149f28fc3053ed4138aa2724 ""
setserialno 1948841605
##############################################################
#
# snmpNotifyFilterTable persistent data
#
##############################################################


##############################################################
#
# ifXTable persistent data
#
ifXTable .1 14:0 18:0x $
ifXTable .2 14:0 18:0x $
ifXTable .3 14:0 18:0x $
ifXTable .4 14:0 18:0x $
ifXTable .5 14:0 18:0x $
ifXTable .6 14:0 18:0x $
ifXTable .7 14:0 18:0x $
ifXTable .8 14:0 18:0x $
##############################################################


engineBoots 1
oldEngineID "000000000000000000000002"
c-po changed the task status from Open to In progress.Jul 7 2020, 5:50 PM
c-po claimed this task.
c-po changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
c-po changed Version from - to 1.3-rolling.
c-po closed this task as Resolved.Jul 11 2020, 4:04 PM
jack9603301 added a comment.Jul 12 2020, 6:37 AM

Now, I don't know how to pull the SNMP data again. The command is as follows:

snmpwalk -v 3 -u vyos -a md5 -A pass -x aes  -X pass -c public -l authPriv 192.168.0.1

Pass in the command is worth plaintext password. In fact, I have tried both plaintext and ciphertext.

The following errors are reported:

snmpwalk: Authentication failure (incorrect password, community or key)

The configuration is as follows:

community public {
    authorization ro
    network 192.168.0.0/16
    network fc00:470:f1cd::/48
}
listen-address 192.168.0.1 {
    port 161
}
listen-address fc00:470:f1cd::1 {
    port 161
}
location HOME
v3 {
    engineid ff42
    group public {
        mode ro
        seclevel priv
        view public
    }
    user vyos {
        auth {
            encrypted-password 9a217a13b3c4c8151f73b965c8c7a6e7
            type md5
        }
        group public
        mode ro
        privacy {
            encrypted-password 9a217a13b3c4c8151f73b965c8c7a6e7
            type aes
        }
    }
    view public {
        oid 1 {
        }
    }
}
c-po added a comment.Jul 12 2020, 8:11 AM

There i no community in SNMPv3 - please read https://docs.vyos.io/en/latest/services/snmp.html#snmpv3

jack9603301 added a comment.Jul 12 2020, 9:56 AM

The configuration is as follows:

listen-address 192.168.0.1 {
    port 161
}
listen-address fc00:470:f1cd::1 {
    port 161
}
location HOME
v3 {
    engineid ff42
    group default {
        mode ro
        seclevel priv
        view public
    }
    user vyos {
        auth {
            encrypted-password 9a217a13b3c4c8151f73b965c8c7a6e7
            type md5
        }
        group default
        mode ro
        privacy {
            encrypted-password 9a217a13b3c4c8151f73b965c8c7a6e7
            type aes
        }
    }
    view public {
        oid 1 {
        }
    }
}

The same error still exists. How to write the client SNMP command?

c-po added a comment.Jul 12 2020, 10:02 AM

It is stated in the documentation - that is why I passed it to you

jack9603301 added a comment.Jul 12 2020, 10:34 AM

Thank you. I'm in a hurry to solve the problem. If I neglect, I can try to use Sha and reset it successfully. Do you not support MD5?

c-po added a comment.Jul 12 2020, 11:25 AM

MD5 should be supported as it works in VyOS 1.2 - let me have a look.

c-po added a comment.Jul 12 2020, 11:46 AM

Problem seems to be in the 3rd party hash library - when upgrading from 1.2.5 to 1.3 rolling settings persist and work:

v3 {
    engineid 000000000000000000000002
    group default {
        mode ro
        view default
    }
    user vyos {
        auth {
            encrypted-password 4c67690d45d3dfcd33d0d7e308e370ad
            type md5
        }
        group default
        privacy {
            encrypted-password 4c67690d45d3dfcd33d0d7e308e370ad
            type des
        }
    }
    view default {
        oid 1 {
        }
    }
}
$ snmpwalk -v 3 -u vyos -a MD5 -A vyos12345678 -x DES -X vyos12345678 -l authPriv 172.18.254.201 .1
iso.3.6.1.2.1.1.1.0 = STRING: "VyOS 1.3-rolling-202007121035"
c-po added a comment.Jul 12 2020, 12:03 PM

Bug in the library is confirmed - id completely ignores MD5

https://github.com/TheMysteriousX/SNMPv3-Hash-Generator/issues/2

c-po added a comment.Jul 12 2020, 12:55 PM

New ISO build triggered with fix - also an MD5 smoketest was added

jack9603301 added a comment.Jul 12 2020, 1:13 PM

Will this issue be fixed in the next release? Just in doubt, I've used Sha instead of MD5.

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 2:14 PM
erkin set Issue type to Improvement (missing useful functionality).Aug 29 2021, 1:54 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.