SNMPv3 Password Question
Moderators: Developers, Moderators
SNMPv3 Password Question
Wondering if someone can assist me here.
I have cacti running with thold/monitor.
Now all my hosts are using snmp v1 and v2 so there is no need for usernames/passwords for snmp.
Now out of pure co-incidance i went through the cacti db and found the following....
In table poller_item there is a field called snmp_password
Also table host field snmp_password.
(Have not verified any others yet.)
In that field in clear text for all too see is the admin password to some of my boxes!!!!!!!!!!!!! Where the @#$ is this comming from?
I did NOT fill in any snmp password fields in my current hosts as they dont require it, where is this being populated from?
HELLLLPPP
I have cacti running with thold/monitor.
Now all my hosts are using snmp v1 and v2 so there is no need for usernames/passwords for snmp.
Now out of pure co-incidance i went through the cacti db and found the following....
In table poller_item there is a field called snmp_password
Also table host field snmp_password.
(Have not verified any others yet.)
In that field in clear text for all too see is the admin password to some of my boxes!!!!!!!!!!!!! Where the @#$ is this comming from?
I did NOT fill in any snmp password fields in my current hosts as they dont require it, where is this being populated from?
HELLLLPPP
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Passwords for snmp communities are clear text in the database, how else would you suggest we store them? Encrypt them, yah, ok, then decrypt would be available in the source code.
Also, I changed your subject.
Also, I changed your subject.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
These passwords are for snmpv3 and are stored this way. However, only an #@%^ would make that password anything other than Read Only. Do you know what you are doing here?
TheWitness
TheWitness
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
....
Lol, looks like half the people misunderstood the situation.....
I don't really care how the snmp v3 passwords are stored in the db.
As ive mentioned i don't even use snmp v3 ANYWHERE on my entire network only v1 and 2...
However somehow these feilds are being populated and worse yet with the same pass as some of my boxes admin password...
After some research i did see the issue that Firefox autocomplete is doing this however assumed it can't be as patch was included in Version 0.8.7d.
Am i mistaken? I am currently running Version 0.8.7d of cacti and assumed it cannot be from this.....
And yes i am using Firefox 3.0.8....
Input?
cigamit: Thanks For Directing Post in Right Direction..
I don't really care how the snmp v3 passwords are stored in the db.
As ive mentioned i don't even use snmp v3 ANYWHERE on my entire network only v1 and 2...
However somehow these feilds are being populated and worse yet with the same pass as some of my boxes admin password...
After some research i did see the issue that Firefox autocomplete is doing this however assumed it can't be as patch was included in Version 0.8.7d.
Am i mistaken? I am currently running Version 0.8.7d of cacti and assumed it cannot be from this.....
And yes i am using Firefox 3.0.8....
Input?
cigamit: Thanks For Directing Post in Right Direction..
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
I see. Then, goto Console->Settings->General and change the default snmpv3 password in the two fields attached.
Those values were likely incorrectly filled in by someone with the admin users password. The values you provide there, will be stored in the database. Please confirm that this corrects your situation.
Otherwise, this might be FF3.x messing with the form in which case we have another problem.
TheWitness
Those values were likely incorrectly filled in by someone with the admin users password. The values you provide there, will be stored in the database. Please confirm that this corrects your situation.
Otherwise, this might be FF3.x messing with the form in which case we have another problem.
TheWitness
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Yes, I see the original line of code that Gandalf put in which I thought had taken care of this.
-bug: host save failed in FireFox 3 for non-SNMP V3 hosts, complaining about "password mismatch"
http://svn.cacti.net/viewvc/cacti/branc ... threv=4621
This stopped the "mismatched' password error, but now Cacti just blinding takes what Firefox fills in the SNMP v3 field and sticks it in the database (even though it is hidden because you are using v2, and even though the 2nd matching password field is blank).
Instead, we should be checking to see if you are using v3, and if not, don't include the password field in the save array (or even blank them out to help remove the old passwords from the database.)
-bug: host save failed in FireFox 3 for non-SNMP V3 hosts, complaining about "password mismatch"
http://svn.cacti.net/viewvc/cacti/branc ... threv=4621
This stopped the "mismatched' password error, but now Cacti just blinding takes what Firefox fills in the SNMP v3 field and sticks it in the database (even though it is hidden because you are using v2, and even though the 2nd matching password field is blank).
Instead, we should be checking to see if you are using v3, and if not, don't include the password field in the save array (or even blank them out to help remove the old passwords from the database.)
Attached is a patch which will resolve the issue going forward for you. Ideally, I would think we would apply this at the API level, but this works too.
Run this SQL command to remove all current usernames / passwords from the host table.And then do a rebuild of your Poller Cache.
Run this SQL command to remove all current usernames / passwords from the host table.
Code: Select all
UPDATE host SET snmp_username = "", snmp_password = "" WHERE snmp_version <> 3
- Attachments
-
- firefox_snmp3password.patch
- (648 Bytes) Downloaded 185 times
Thank You
Thank You!
This led too the solution for me!
This led too the solution for me!
Who is online
Users browsing this forum: No registered users and 1 guest