Hi All,
I am working in an offline RHEL environment and am seeking a method to secure the snmptrapd.conf file to prevent credentials from being stored in plain text while ensuring the snmptrapd service continues to run seamlessly.
I understand that SNMP v3 provides encryption for transmitted traps, but my primary concern is securing the credentials within the snmptrapd.conf file itself.
Could anyone please advise on any best practices, tools, or methods available to achieve this?
Securing Credentials in snmptrapd.conf on Offline RHEL Server
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
Hi @kenneth59,
Taking a look at the man page for snmptrapd.conf, it looks like there is support for creating users with encrypted usernames as well as passwords. Useage from the manual is as follows:
Let us know if you have any related questions
Taking a look at the man page for snmptrapd.conf, it looks like there is support for creating users with encrypted usernames as well as passwords. Useage from the manual is as follows:
Code: Select all
createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES]
See the snmpd.conf(5) manual page for a description of how to create SNMPv3 users. This is roughly the same, but the file
name changes to snmptrapd.conf from snmpd.conf.
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
Hi @jsimon,
Thank you for your response. Do correct me if I’m mistaken. I checked the following link (http://www.net-snmp.org/docs/man/snmptrapd.conf.html), but I couldn’t find anything related to the method you mentioned. However, upon reviewing http://www.net-snmp.org/docs/man/snmpd.conf.html, I noticed some details in the manual that resemble what you described in your code section. After testing, it seems that this approach prevents the password from being displayed in plain text, but it appears to apply only to polling.
What I’m specifically looking for is a method to avoid storing trap passwords in snmptrapd.conf. Additionally, could you clarify the potential impact of a leaked SNMP trap password? From my understanding, the trap password is used primarily for decrypting traps sent from a server. Other than gaining access to the transmitted trap data, what other risks could this pose?
Thank you for your response. Do correct me if I’m mistaken. I checked the following link (http://www.net-snmp.org/docs/man/snmptrapd.conf.html), but I couldn’t find anything related to the method you mentioned. However, upon reviewing http://www.net-snmp.org/docs/man/snmpd.conf.html, I noticed some details in the manual that resemble what you described in your code section. After testing, it seems that this approach prevents the password from being displayed in plain text, but it appears to apply only to polling.
What I’m specifically looking for is a method to avoid storing trap passwords in snmptrapd.conf. Additionally, could you clarify the potential impact of a leaked SNMP trap password? From my understanding, the trap password is used primarily for decrypting traps sent from a server. Other than gaining access to the transmitted trap data, what other risks could this pose?
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
It looks like the docs you linked to haven't been updated in quite a while. I see that the version I get when I run shows me a bit more information about the user setup process, and I would advise referencing the latest version of the documentation to make sure your steps are accurate.
Assuming you are using SNMPv3 for your trap transmission, and using the authPriv configuration, there are two separate passwords in use here.
authpassphrase is the password used to authenticate the connection
privpassphrase is the password used to encrypt/decrypt the data
It looks like both passwords are hashed and stored, so neither should be available in plain text.
Code: Select all
man 5 snmptrapd.confAssuming you are using SNMPv3 for your trap transmission, and using the authPriv configuration, there are two separate passwords in use here.
Code: Select all
createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]
privpassphrase is the password used to encrypt/decrypt the data
It looks like both passwords are hashed and stored, so neither should be available in plain text.
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
Hi @jsimon,
When I mentioned the need for credentials to be encrypted, I was referring to ensuring that if someone logs into the server and opens the /etc/snmp/snmptrapd.conf file, they should not be able to view the password in plain text. Is it possible to achieve this level of security?
I would like to clarify the method you mentioned. Does it require saving the credentials in the /etc/snmp/snmptrapd.conf file, similar to the SNMP v3 configuration described in https://support.nagios.com/kb/article/s ... p-493.html?
Code: Select all
#The commands above required the following settings in /etc/snmp/snmptrapd.conf
disableAuthorization yes
traphandle default /usr/sbin/snmptthandler
createUser -e 0x090807060504030201 the_user_name SHA the_SHA_string AES the_AES_string
authUser log,execute,net the_user_name
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
This has nothing to do with nagios and while it may help you to ask for support, it might be more usefull to ask on an snmp site.
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
@kenneth59,
That level of security appears to be what the encryption is explicitly for, according to documentation I was able to find. The password is stored in plain text for a few seconds and then is replaced with the hashed output permanently. I would suggest playing around with the configuration and seeing if you can confirm this. Or, as @kg2857 has suggested, you may find more help posting on snmp-related forums or sites with more questions.
That level of security appears to be what the encryption is explicitly for, according to documentation I was able to find. The password is stored in plain text for a few seconds and then is replaced with the hashed output permanently. I would suggest playing around with the configuration and seeing if you can confirm this. Or, as @kg2857 has suggested, you may find more help posting on snmp-related forums or sites with more questions.
Re: Securing Credentials in snmptrapd.conf on Offline RHEL Server
You could also read the snmptrapd documentation. It would probably help the OP to learn a bit rather than just asking others to give them the answer.