SNMPv3 Password Question

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
thavinci
Posts: 26
Joined: Tue Nov 06, 2007 12:14 pm
Location: JHB
Contact:

SNMPv3 Password Question

Post by thavinci »

Wondering if someone can assist me here.

I have cacti running with thold/monitor.

Now all my hosts are using snmp v1 and v2 so there is no need for usernames/passwords for snmp.
Now out of pure co-incidance i went through the cacti db and found the following....


In table poller_item there is a field called snmp_password
Also table host field snmp_password.
(Have not verified any others yet.)

In that field in clear text for all too see is the admin password to some of my boxes!!!!!!!!!!!!! Where the @#$ is this comming from?

I did NOT fill in any snmp password fields in my current hosts as they dont require it, where is this being populated from?


HELLLLPPP
meralias
Posts: 46
Joined: Tue Nov 14, 2006 7:07 am

Post by meralias »

The last time that I saw that, it was because I was using a browser with auto-completion of forms and I had accidentally saved a password in the default SNMP settings.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Passwords for snmp communities are clear text in the database, how else would you suggest we store them? Encrypt them, yah, ok, then decrypt would be available in the source code.

Also, I changed your subject.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

These passwords are for snmpv3 and are stored this way. However, only an #@%^ would make that password anything other than Read Only. Do you know what you are doing here?

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

Let me guess, you use Firefox 3? And you saved your password to login to Cacti? It auto-fills in the "hidden" SNMP v3 password field, I believe Larry patched around this in v0.8.7d.
thavinci
Posts: 26
Joined: Tue Nov 06, 2007 12:14 pm
Location: JHB
Contact:

....

Post by thavinci »

Lol, looks like half the people misunderstood the situation.....


I don't really care how the snmp v3 passwords are stored in the db.
As ive mentioned i don't even use snmp v3 ANYWHERE on my entire network only v1 and 2...

However somehow these feilds are being populated and worse yet with the same pass as some of my boxes admin password...


After some research i did see the issue that Firefox autocomplete is doing this however assumed it can't be as patch was included in Version 0.8.7d.

Am i mistaken? I am currently running Version 0.8.7d of cacti and assumed it cannot be from this.....

And yes i am using Firefox 3.0.8....

Input?

cigamit: Thanks For Directing Post in Right Direction..
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

I see. Then, goto Console->Settings->General and change the default snmpv3 password in the two fields attached.

Those values were likely incorrectly filled in by someone with the admin users password. The values you provide there, will be stored in the database. Please confirm that this corrects your situation.

Otherwise, this might be FF3.x messing with the form in which case we have another problem.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

Yes, I see the original line of code that Gandalf put in which I thought had taken care of this.

-bug: host save failed in FireFox 3 for non-SNMP V3 hosts, complaining about "password mismatch"
http://svn.cacti.net/viewvc/cacti/branc ... threv=4621

This stopped the "mismatched' password error, but now Cacti just blinding takes what Firefox fills in the SNMP v3 field and sticks it in the database (even though it is hidden because you are using v2, and even though the 2nd matching password field is blank).

Instead, we should be checking to see if you are using v3, and if not, don't include the password field in the save array (or even blank them out to help remove the old passwords from the database.)
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

Attached is a patch which will resolve the issue going forward for you. Ideally, I would think we would apply this at the API level, but this works too.

Run this SQL command to remove all current usernames / passwords from the host table.

Code: Select all

UPDATE host SET snmp_username = "", snmp_password = "" WHERE snmp_version <> 3
And then do a rebuild of your Poller Cache.
Attachments
firefox_snmp3password.patch
(648 Bytes) Downloaded 185 times
thavinci
Posts: 26
Joined: Tue Nov 06, 2007 12:14 pm
Location: JHB
Contact:

Thank You

Post by thavinci »

Thank You!

This led too the solution for me!
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests