Page MenuHomeVyOS Platform

set service snmp v3 group defaultgroup seclevel - incorrect parsing
Closed, ResolvedPublicBUG

Description

During the migration SNMP v3 configuration from 1.1.8 to 1.2 I found a bug related to parsing configuration.

SNMP allows 3 types of configuration security:

set service snmp v3 group defaultgroup seclevel
Possible completions:
   noauth       Messages not authenticated and not encrypted (noAuthNoPriv)
   auth         Messages are authenticated but not encrypted (authNoPriv)
   priv         Messages are authenticated and encrypted (authPriv)

When setting:

set service snmp v3 group defaultgroup seclevel 'auth'

it should not ask privacy key, but it does:

set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'auth'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid '1'

set service snmp v3 user testUser auth plaintext-key testUserKey
set service snmp v3 user testUser auth type 'md5'
set service snmp v3 user testUser engineid '0x0aa0d6c6f450'
set service snmp v3 user testUser group 'defaultgroup'
set service snmp v3 user testUser mode 'ro'
commit
[ service snmp ]
Must specify encrypted-key or plaintext-key for user privacy

[[service snmp]] failed
Commit failed

So we have configured privacy despite it is not required.

The same thing is for noauth + configured username

set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'noauth'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid '1'

set service snmp v3 user testUser auth plaintext-key testUserKey
set service snmp v3 user testUser auth type 'md5'
set service snmp v3 user testUser engineid '0x0aa0d6c6f450'
set service snmp v3 user testUser group 'defaultgroup'
set service snmp v3 user testUser mode 'ro'
commit
[ service snmp ]
Must specify encrypted-key or plaintext-key for user privacy

[[service snmp]] failed
Commit failed

Noauth without extra parameters is working as expected

set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'noauth'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid 1

Correct behavior is

  1. In case of noauth - to allow but ignore configuration of user and privacy
  2. In case of auth - to require user but ignore privacy
  3. In case of priv - to require user and privacy both

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201806250436
Why the issue appeared?
Will be filled on close

Event Timeline

@begetan thanks for this detialed description.

To clarify your described correct behavior:

  1. In case of noauth - allow but ignore configuration of user and privacy setting -> resulting in no user and privacy in the configuration file
  2. In case of auth - require user but ignore privacy setting -> resulting in no privacy in the configuration file
  3. In case of priv - require user and privacy setting -> this seems to be the current behavior

In addition noauth was just recently introduced in my SNMP rewrite.