net-snmp-create-v3-user quoting an empty privpass leads to error

[ChrisCheney]

createUser privpass is optional as shown in 'man snmpd.conf'

createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]

If the privacy passphrase is not specified, it is assumed to be the same as the authentication passphrase.

However, in fixing bug #2812 privpass is quoted even when it is empty:

https://sourceforge.net/p/net-snmp/bugs/2812/

https://sourceforge.net/p/net-snmp/code/ci/e5ad10de8e175e443351be3e14e87067ff9bded8

This leads to this error:

# net-snmp-create-v3-user -A testpass -a SHA -x AES testuser
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser testuser SHA "testpass" AES ""
adding the following line to /etc/snmp/snmpd.conf:
   rwuser testuser`

/var/lib/net-snmp/snmpd.conf

 createUser testuser SHA "testpass" AES ""

# systemctl start snmpd
# systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-03-24 17:36:22 CDT; 4s ago
 Main PID: 3167 (snmpd)
    Tasks: 1
   Memory: 12.8M
   CGroup: /system.slice/snmpd.service
           └─3167 /usr/sbin/snmpd -LS0-6d -f

Mar 24 17:36:22 localhost.localdomain systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Mar 24 17:36:22 localhost.localdomain snmpd[3167]: Error: passphrase chosen is below the length requirements of the USM (min=8).
Mar 24 17:36:22 localhost.localdomain snmpd[3167]: /var/lib/net-snmp/snmpd.conf: line 53: Error: could not generate the privacy key from the supplied pass phrase.
Mar 24 17:36:22 localhost.localdomain snmpd[3167]: net-snmp: 1 error(s) in config file(s)
Mar 24 17:36:22 localhost.localdomain snmpd[3167]: NET-SNMP version 5.8
Mar 24 17:36:22 localhost.localdomain systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

And so it does not actually create the user.

If I manually delete the "" in /var/lib/net-snmp/snmpd.conf and then start it works.

Either createUser needs to check for blank passwords and ignore them or net-snmp-create-v3-user should check for blank passwords and not add the "" to /var/lib/net-snmp/snmpd.conf.

[jridky]

I believe, this could do the trick. @bvanassche what do you think?

diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in
--- a/net-snmp-create-v3-user.in	2020-11-18 08:15:12.798038671 +0100
+++ b/net-snmp-create-v3-user.in	2020-11-18 08:17:32.241491132 +0100
@@ -124,7 +124,11 @@ fi
 fi
 outdir="@PERSISTENT_DIRECTORY@"
 outfile="$outdir/snmpd.conf"
-line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
+if test "x$xpassphrase" = "x" ; then
+    line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm"
+else
+    line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
+fi
 echo "adding the following line to $outfile:"
 echo "  " $line
 # in case it hasn't ever been started yet, start it.

[bvanassche]

Please take a look at commit 09a0c90.

[jridky]

Looks great. Thank you.