Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SNMPv3 user with keys (hashes) in lieu of passphrases #172

Open
lnemsick-simp opened this issue Dec 4, 2018 · 3 comments
Open

Create SNMPv3 user with keys (hashes) in lieu of passphrases #172

lnemsick-simp opened this issue Dec 4, 2018 · 3 comments
Labels
enhancement New feature or request

Comments

@lnemsick-simp
Copy link

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.5.x
  • Ruby: 2.4.4
  • Distribution: CentOS 7, CentOS 6
  • Module version: v4.1.0

How to reproduce (e.g Puppet code you use)

snmp::snmpv3_user only allows a user to be specified with plain text authpass and privpass passphrases. This means that these passphrases will exist in either a Puppet manifest or a Hieradata file. That persistence has been identified as a security risk.

Per the snmpd.conf man page, the createUser directive used in https://github.com/voxpupuli/puppet-snmp/blob/v4.1.0/manifests/snmpv3_user.pp#L42 and https://github.com/voxpupuli/puppet-snmp/blob/v4.1.0/manifests/snmpv3_user.pp#L43 does have a form that allows the passphrase hashes to be specified instead of the passphrases. That form requires the use of the '-l' or '-m' options.
Unfortunately, I cannot see a way to specify/inject those options in the existing sinmp::snmpv3_user code.

What are you seeing

Plain text passphrases persisted in manifests or Hieradata files.

What behaviour did you expect instead

Ability to add a user with hashed passphrases instead of plain text passphrases, so that hashed passphrases are persisted in manifests or Hieradata files.

Also, since the logic to generate these salted hashes is already available in a combination of the snmpv3_user fact and the snmp::snmpv3_usm_hash function, as a bonus, it would be really helpful if that code was also packaged a standalone salted-hash-generator script.

Output log

N/A

Any additional information you'd like to impart
@Dan33l
Copy link
Member

Dan33l commented Dec 4, 2018

Hi @lnemsick-simp , if you store password in clear text, for sure this is an security risk. But since it is possible to store an encrypted data in hiera datafile, why do not you use this possibility?

@juniorsysadmin juniorsysadmin added the enhancement New feature or request label Dec 5, 2018
@trevor-vaughan
Copy link

@Dan33l Since the underlying application supports this format, it would be ideal to be able to pass it in via the puppet module both for completeness and for being able to keep a password out of all version control unnecessarily.

@Dan33l
Copy link
Member

Dan33l commented Dec 6, 2018

@trevor-vaughan Feel free to propose a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@trevor-vaughan @juniorsysadmin @Dan33l @lnemsick-simp