core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Missing Authentication and Privacy Protocol Fields in SNMPv3 Configuration (OPNsense 25.1.6) NET-SNMP

Open ErnatTLB opened this issue 8 months ago • 1 comments

Bug Report: Missing Authentication and Privacy Protocol Fields in SNMPv3 Configuration (OPNsense 25.1.6)

Bug Description

In OPNsense 25.1.6 with the NET-SNMP plugin installed, the SNMPv3 configuration interface is missing critical fields for specifying the Authentication Protocol and Privacy Protocol. This prevents proper configuration of SNMPv3 for monitoring tools such as Zabbix that require these parameters to be explicitly defined.

Environment

  • OPNsense Version: 25.1.6
  • Plugin: NET-SNMP (latest version available through OPNsense package manager)
  • Monitoring Tool: Zabbix (unable to query the device due to this issue)

Steps to Reproduce

  1. Install OPNsense 25.1.6
  2. Install the NET-SNMP plugin via System > Firmware > Plugins
  3. Navigate to Services > NET-SNMP
  4. Go to the SNMPv3 Users tab and add a new user
  5. Observe that while fields for username, password, and encryption key are present, the fields for Authentication Protocol (e.g., SHA, MD5) and Privacy Protocol (e.g., AES, DES) are missing

Expected Behavior

The SNMPv3 user configuration form should include dropdown menus or fields for:

  • Authentication Protocol (with options like SHA, MD5, etc.)
  • Privacy Protocol (with options like AES, DES, etc.)

These fields are standard in SNMPv3 configurations and are required by monitoring tools like Zabbix to establish secure communication.

Actual Behavior

The configuration interface only offers fields for username, password, and encryption key. There is no way to specify which authentication or privacy protocols should be used, making it impossible to properly configure SNMPv3 through the web interface.

Impact

Without the ability to specify these protocols, monitoring tools like Zabbix cannot query the OPNsense device using SNMPv3. This creates a security vulnerability, as administrators may be forced to use less secure SNMP versions (v1 or v2c) or must resort to manually editing configuration files, which is error-prone and not supported by the OPNsense interface.

Workaround

Currently, the only workaround is to manually edit the SNMP configuration file via SSH by:

  1. Accessing OPNsense via SSH
  2. Editing the file /etc/snmp/snmpd.conf or /usr/local/etc/snmp/snmpd.conf
  3. Manually adding configuration lines for SNMPv3 users with specific protocols
  4. Restarting the SNMP service

This workaround is not ideal as it requires command-line access and may be overwritten during updates or when changes are made through the web interface.

Suggested Fix

Add the missing fields to the SNMPv3 user configuration interface:

  1. Add a dropdown menu for "Authentication Protocol" with options like:

    • None
    • MD5
    • SHA
    • SHA-224
    • SHA-256
    • SHA-384
    • SHA-512

  2. Add a dropdown menu for "Privacy Protocol" with options like:

    • None
    • DES
    • AES-128
    • AES-192
    • AES-256

Additional Information

This issue appears to be similar to other SNMPv3 configuration issues reported for different systems, such as the one described in OCS Inventory (GitHub issue #1174), where missing authentication and privacy protocol specifications prevented SNMPv3 functionality.

Thank you for considering this bug report. Please let me know if you need any additional information or clarification.

ErnatTLB avatar May 15 '25 07:05 ErnatTLB