During the migration SNMP v3 configuration from 1.1.8 to 1.2 I found a bug related to parsing configuration.
SNMP allows 3 types of configuration security:
set service snmp v3 group defaultgroup seclevel Possible completions: noauth Messages not authenticated and not encrypted (noAuthNoPriv) auth Messages are authenticated but not encrypted (authNoPriv) priv Messages are authenticated and encrypted (authPriv)
When setting:
set service snmp v3 group defaultgroup seclevel 'auth'
it should not ask privacy key, but it does:
set service snmp v3 engineid '0x0aa0d6c6f450' set service snmp v3 group defaultgroup mode 'ro' set service snmp v3 group defaultgroup seclevel 'auth' set service snmp v3 group defaultgroup view 'defaultview' set service snmp v3 view defaultview oid '1' set service snmp v3 user testUser auth plaintext-key testUserKey set service snmp v3 user testUser auth type 'md5' set service snmp v3 user testUser engineid '0x0aa0d6c6f450' set service snmp v3 user testUser group 'defaultgroup' set service snmp v3 user testUser mode 'ro' commit [ service snmp ] Must specify encrypted-key or plaintext-key for user privacy [[service snmp]] failed Commit failed
So we have configured privacy despite it is not required.
The same thing is for noauth + configured username
set service snmp v3 engineid '0x0aa0d6c6f450' set service snmp v3 group defaultgroup mode 'ro' set service snmp v3 group defaultgroup seclevel 'noauth' set service snmp v3 group defaultgroup view 'defaultview' set service snmp v3 view defaultview oid '1' set service snmp v3 user testUser auth plaintext-key testUserKey set service snmp v3 user testUser auth type 'md5' set service snmp v3 user testUser engineid '0x0aa0d6c6f450' set service snmp v3 user testUser group 'defaultgroup' set service snmp v3 user testUser mode 'ro' commit [ service snmp ] Must specify encrypted-key or plaintext-key for user privacy [[service snmp]] failed Commit failed
Noauth without extra parameters is working as expected
set service snmp v3 engineid '0x0aa0d6c6f450' set service snmp v3 group defaultgroup mode 'ro' set service snmp v3 group defaultgroup seclevel 'noauth' set service snmp v3 group defaultgroup view 'defaultview' set service snmp v3 view defaultview oid 1
Correct behavior is
- In case of noauth - to allow but ignore configuration of user and privacy
- In case of auth - to require user but ignore privacy
- In case of priv - to require user and privacy both