Nagios Support Forum

Hi All,

I am working in an offline RHEL environment and am seeking a method to secure the snmptrapd.conf file to prevent credentials from being stored in plain text while ensuring the snmptrapd service continues to run seamlessly.

I understand that SNMP v3 provides encryption for transmitted traps, but my primary concern is securing the credentials within the snmptrapd.conf file itself.

Could anyone please advise on any best practices, tools, or methods available to achieve this?

Hi @kenneth59,

Taking a look at the man page for snmptrapd.conf, it looks like there is support for creating users with encrypted usernames as well as passwords. Useage from the manual is as follows:
Let us know if you have any related questions

Hi @jsimon,

Thank you for your response. Do correct me if I’m mistaken. I checked the following link (http://www.net-snmp.org/docs/man/snmptrapd.conf.html), but I couldn’t find anything related to the method you mentioned. However, upon reviewing http://www.net-snmp.org/docs/man/snmpd.conf.html, I noticed some details in the manual that resemble what you described in your code section. After testing, it seems that this approach prevents the password from being displayed in plain text, but it appears to apply only to polling.

What I’m specifically looking for is a method to avoid storing trap passwords in snmptrapd.conf. Additionally, could you clarify the potential impact of a leaked SNMP trap password? From my understanding, the trap password is used primarily for decrypting traps sent from a server. Other than gaining access to the transmitted trap data, what other risks could this pose?

It looks like the docs you linked to haven't been updated in quite a while. I see that the version I get when I run shows me a bit more information about the user setup process, and I would advise referencing the latest version of the documentation to make sure your steps are accurate.

Assuming you are using SNMPv3 for your trap transmission, and using the authPriv configuration, there are two separate passwords in use here.
authpassphrase is the password used to authenticate the connection
privpassphrase is the password used to encrypt/decrypt the data

It looks like both passwords are hashed and stored, so neither should be available in plain text.

Hi @jsimon,

jsimon wrote: ↑Wed Dec 18, 2024 11:56 am createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]

I would like to clarify the method you mentioned. Does it require saving the credentials in the /etc/snmp/snmptrapd.conf file, similar to the SNMP v3 configuration described in https://support.nagios.com/kb/article/s ... p-493.html?
When I mentioned the need for credentials to be encrypted, I was referring to ensuring that if someone logs into the server and opens the /etc/snmp/snmptrapd.conf file, they should not be able to view the password in plain text. Is it possible to achieve this level of security?

This has nothing to do with nagios and while it may help you to ask for support, it might be more usefull to ask on an snmp site.

@kenneth59,

That level of security appears to be what the encryption is explicitly for, according to documentation I was able to find. The password is stored in plain text for a few seconds and then is replaced with the hashed output permanently. I would suggest playing around with the configuration and seeing if you can confirm this. Or, as @kg2857 has suggested, you may find more help posting on snmp-related forums or sites with more questions.

Hi @jsimon and @kg2857,

Thank you very much for your help. I’ll follow your suggestion and check on SNMP-related forums.

You could also read the snmptrapd documentation. It would probably help the OP to learn a bit rather than just asking others to give them the answer.