plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Cannot use valid SNMPv3 passphrases with special characters in NET-SNMP plugin (UI validation too strict)

Open ErnatTLB opened this issue 8 months ago • 1 comments

Hi,

I'm facing an issue with the OPNsense 25.1.6 NET-SNMP plugin when configuring SNMPv3 users.

The web interface refuses to accept certain SNMPv3 passphrases that contain special characters like #, $, @, etc., even though these passphrases are fully valid and already in use across multiple systems (Linux servers, network devices, etc.).

This creates a major interoperability issue: I cannot change the SNMPv3 credentials just for OPNsense, as they are standardized and in production use elsewhere.

Example:

I attempted to configure:

  • Auth passphrase: P@ssw#rd123$
  • Priv passphrase: My$Priv#Key!

These passphrases:

  • Meet SNMPv3 requirements (≥8 characters, printable ASCII)
  • Work correctly in other systems running net-snmp
  • Are accepted if added manually to /usr/local/etc/snmp/snmpd.conf

However, the OPNsense GUI rejects them as invalid due to restrictive input validation. This appears to be a frontend or backend validation issue, not a limitation of net-snmp itself.

Why this is a problem:

  • SNMPv3 is used in centralized monitoring systems.
  • Credentials must be consistent across monitored devices.
  • Changing the password just for OPNsense breaks standardization and adds unnecessary complexity.

Request:

Please consider updating the UI validation logic to match what net-snmp actually supports – namely, accepting all printable ASCII characters (as long as the passphrase is ≥8 characters). Alternatively, a documented list of accepted characters would also help.

Currently, the only workaround is to manually edit /var/etc/snmpd.conf after configuration, which is overwritten by the GUI at every change.

Thanks for your attention and for the excellent work on OPNsense!

ErnatTLB avatar May 15 '25 06:05 ErnatTLB

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot avatar May 15 '25 07:05 OPNsense-bot

@ErnatTLB

Hello there,

These are supported: 0-9a-zA-Z._-!$%/()+#= (the error message shows that)

From the ones you mention, only @ is missing.

Technically the list could be 0-9a-zA-Z`~!@#$%^&*()-_=+|[{}];:'",<.>/? but many implementations don't support most of them and some only support letters and numbers.

If I create a PR with all of those, will you help validate them?

sopex avatar Aug 11 '25 00:08 sopex

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Nov 11 '25 06:11 OPNsense-bot