summaryrefslogtreecommitdiff
path: root/data/templates/snmp
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-07-11 17:55:21 +0200
committerChristian Poessinger <christian@poessinger.com>2020-07-11 17:55:21 +0200
commitd9c7dfb1e7a8ad4a44b571e3d4b8d87ff3898678 (patch)
treebd9a273b36de1357178cf6c2e13f482c981aac1d /data/templates/snmp
parent8eb65fa66974e2b409fb367fe9fb2c5d65fc8332 (diff)
downloadvyos-1x-d9c7dfb1e7a8ad4a44b571e3d4b8d87ff3898678.tar.gz
vyos-1x-d9c7dfb1e7a8ad4a44b571e3d4b8d87ff3898678.zip
snmp: T2687: precalculate snmpv3 encrypted keys
As of now when adding new credentials for any SNMPv3 user we submit the credential either plaintext or encrypted. A plaintext credential will be hashed by SNMPd in the background and then passed back into the CLI so it's not stored in cleartext. This feels like the wrong way in changing the CLI content with data produced by a 3rd party daemon which implements the service. It feels like the tail wiggles the entire dog. This should be changed in the following way: - After retrieving the plaintext password from CLI, use Python to hash the key in advance - Re-populate the encrypted key into the CLI and drop the plaintext one - Generate service configuration and continue startup of SNMPd This also fixes a race condition when SNMPd started up but not properly provided the hasehd keys in the configuration resulting in a ConfigurationError. Now as we also support binding SNMPd to a VRF this fixes a deadlock situation on bootup as we can only bind late to the VRF and require up to 5 restarts of the service - but the service will never start.
Diffstat (limited to 'data/templates/snmp')
-rw-r--r--data/templates/snmp/etc.snmp.conf.tmpl2
-rw-r--r--data/templates/snmp/etc.snmpd.conf.tmpl83
-rw-r--r--data/templates/snmp/var.snmpd.conf.tmpl6
3 files changed, 43 insertions, 48 deletions
diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.tmpl
index 159578906..6e4c6f063 100644
--- a/data/templates/snmp/etc.snmp.conf.tmpl
+++ b/data/templates/snmp/etc.snmp.conf.tmpl
@@ -1,4 +1,4 @@
### Autogenerated by snmp.py ###
-{% if trap_source -%}
+{% if trap_source %}
clientaddr {{ trap_source }}
{% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl
index 1659abf93..278506350 100644
--- a/data/templates/snmp/etc.snmpd.conf.tmpl
+++ b/data/templates/snmp/etc.snmpd.conf.tmpl
@@ -32,87 +32,84 @@ sysDescr VyOS {{ version }}
{% if description %}
# Description
SysDescr {{ description }}
-{%- endif %}
+{% endif %}
# Listen
agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161{% if ipv6_enabled %},udp6:161{% endif %}{% endif %}
# SNMP communities
-{%- for c in communities %}
-
-{%- if c.network_v4 %}
-{%- for network in c.network_v4 %}
+{% for c in communities %}
+{% if c.network_v4 %}
+{% for network in c.network_v4 %}
{{ c.authorization }}community {{ c.name }} {{ network }}
-{%- endfor %}
-{%- elif not c.has_source %}
+{% endfor %}
+{% elif not c.has_source %}
{{ c.authorization }}community {{ c.name }}
-{%- endif %}
-
-{%- if c.network_v6 %}
-{%- for network in c.network_v6 %}
+{% endif %}
+{% if c.network_v6 %}
+{% for network in c.network_v6 %}
{{ c.authorization }}community6 {{ c.name }} {{ network }}
-{%- endfor %}
-{%- elif not c.has_source %}
+{% endfor %}
+{% elif not c.has_source %}
{{ c.authorization }}community6 {{ c.name }}
-{%- endif %}
-
-{%- endfor %}
+{% endif %}
+{% endfor %}
{% if contact %}
# system contact information
SysContact {{ contact }}
-{%- endif %}
+{% endif %}
{% if location %}
# system location information
SysLocation {{ location }}
-{%- endif %}
+{% endif %}
-{% if smux_peers -%}
+{% if smux_peers %}
# additional smux peers
-{%- for sp in smux_peers %}
+{% for sp in smux_peers %}
smuxpeer {{ sp }}
-{%- endfor %}
-{%- endif %}
+{% endfor %}
+{% endif %}
-{% if trap_targets -%}
+{% if trap_targets %}
# if there is a problem - tell someone!
-{%- for t in trap_targets %}
-trap2sink {{ t.target }}{% if t.port -%}:{{ t.port }}{% endif %} {{ t.community }}
-{%- endfor %}
-{%- endif %}
+{% for trap in trap_targets %}
+trap2sink {{ trap.target }}{{ ":" + trap.port if trap.port is defined }} {{ trap.community }}
+{% endfor %}
+{% endif %}
-{%- if v3_enabled %}
+{% if v3_enabled %}
#
# SNMPv3 stuff goes here
#
# views
-{%- for v in v3_views %}
-{%- for oid in v.oids %}
-view {{ v.name }} included .{{ oid.oid }}
-{%- endfor %}
-{%- endfor %}
+{% for view in v3_views %}
+{% for oid in view.oids %}
+view {{ view.name }} included .{{ oid.oid }}
+{% endfor %}
+{% endfor %}
# access
# context sec.model sec.level match read write notif
-{%- for g in v3_groups %}
-access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} {% if g.mode == 'ro' %}none{% else %}{{ g.view }}{% endif %} none
-{%- endfor %}
+{% for group in v3_groups %}
+access {{ group.name }} "" usm {{ group.seclevel }} exact {{ group.view }} {% if group.mode == 'ro' %}none{% else %}{{ group.view }}{% endif %} none
+{% endfor %}
# trap-target
-{%- for t in v3_traps %}
+{% for t in v3_traps %}
trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ v3_engineid }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }}
-{%- endfor %}
+{% endfor %}
# group
-{%- for u in v3_users %}
+{% for u in v3_users %}
group {{ u.group }} usm {{ u.name }}
-{% endfor %}
-{%- endif %}
+{% endfor %}
+{% endif %}
{% if script_ext %}
# extension scripts
-{%- for ext in script_ext|sort(attribute='name') %}
+{% for ext in script_ext|sort(attribute='name') %}
extend {{ ext.name }} {{ ext.script }}
-{%- endfor %}
+{% endfor %}
{% endif %}
diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.tmpl
index 0b8e9f291..6cbc687ef 100644
--- a/data/templates/snmp/var.snmpd.conf.tmpl
+++ b/data/templates/snmp/var.snmpd.conf.tmpl
@@ -3,14 +3,12 @@
{%- for u in v3_users %}
{%- if u.authOID == 'none' %}
createUser {{ u.name }}
-{%- elif u.authPassword %}
-createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }}
{%- else %}
-usmUser 1 3 {{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x
+usmUser 1 3 0x{{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} 0x{{ u.authMasterKey }} {{ u.privOID }} 0x{{ u.privMasterKey }} 0x
{%- endif %}
{%- endfor %}
createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES
{%- if v3_engineid %}
-oldEngineID {{ v3_engineid }}
+oldEngineID 0x{{ v3_engineid }}
{%- endif %}