plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Missing Authentication and Privacy Protocol Fields in SNMPv3 Configuration (OPNsense 25.1.6)

Open ErnatTLB opened this issue 8 months ago • 2 comments

Bug Report: Missing Authentication and Privacy Protocol Fields in SNMPv3 Configuration (OPNsense 25.1.6)

Bug Description

In OPNsense 25.1.6 with the NET-SNMP plugin installed, the SNMPv3 configuration interface is missing critical fields for specifying the Authentication Protocol and Privacy Protocol. This prevents proper configuration of SNMPv3 for monitoring tools such as Zabbix that require these parameters to be explicitly defined.

Environment

  • OPNsense Version: 25.1.6
  • Plugin: NET-SNMP (latest version)
  • Monitoring Tool: Zabbix (unable to query the device due to this issue)

Technical Details

  1. Examining the template file at /usr/local/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf confirms that the SNMPv3 user configuration lacks parameters for authentication and privacy protocols:
{% if helpers.exists('OPNsense.netsnmp.user.users.user') %}
{%   for user_list in helpers.toList('OPNsense.netsnmp.user.users.user') %}
{%     if user_list.enabled == '1' %}
{% if user_list.readwrite == '1' %}rwuser {{ user_list.username }} {% else %}rouser {{ user_list.username }} {% endif %}
{%     endif %}
{%   endfor %}
{% endif %}
  1. The template only adds the username as rwuser or rouser without any protocol specification, which is insufficient for proper SNMPv3 security.

Steps to Reproduce

  1. Install OPNsense 25.1.6
  2. Install the NET-SNMP plugin via System > Firmware > Plugins
  3. Navigate to Services > NET-SNMP
  4. Go to the SNMPv3 Users tab and add a new user
  5. Observe that while fields for username, password, and encryption key are present, the fields for Authentication Protocol (e.g., SHA, MD5) and Privacy Protocol (e.g., AES, DES) are missing

Expected Behavior

The SNMPv3 user configuration form should include dropdown menus or fields for:

  • Authentication Protocol (with options like SHA, MD5, etc.)
  • Privacy Protocol (with options like AES, DES, etc.)

These fields are standard in SNMPv3 configurations and are required by monitoring tools like Zabbix to establish secure communication.

Actual Behavior

The configuration interface only offers fields for username, password, and encryption key. There is no way to specify which authentication or privacy protocols should be used, making it impossible to properly configure SNMPv3 through the web interface.

Also, the template file confirms that these protocols are not being included in the generated configuration.

Impact

Without the ability to specify these protocols, monitoring tools like Zabbix cannot query the OPNsense device using SNMPv3. This creates a security vulnerability, as administrators may be forced to use less secure SNMP versions (v1 or v2c) instead of the more secure SNMPv3.

Suggested Fix

  1. Add the missing fields to the SNMPv3 user configuration interface:

    • Add a dropdown for "Authentication Protocol" (None, MD5, SHA, etc.)
    • Add a dropdown for "Privacy Protocol" (None, DES, AES, etc.)

  2. Update the template file to include these parameters in the generated configuration:

{% if helpers.exists('OPNsense.netsnmp.user.users.user') %}
{%   for user_list in helpers.toList('OPNsense.netsnmp.user.users.user') %}
{%     if user_list.enabled == '1' %}
{% if user_list.readwrite == '1' %}rwuser {{ user_list.username }} {{ user_list.authprotocol }} {{ user_list.privprotocol }} {% else %}rouser {{ user_list.username }} {{ user_list.authprotocol }} {{ user_list.privprotocol }} {% endif %}
{%     endif %}
{%   endfor %}
{% endif %}

Thank you for considering this bug report. Please let me know if you need any additional information.

ErnatTLB avatar May 15 '25 07:05 ErnatTLB

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot avatar May 15 '25 08:05 OPNsense-bot

Hello,

I have the same problem with Centreon we need this parameter : SNMP v3 only: Authentication protocol: MD5|SHA. Since net-snmp 5.9.1: SHA224|SHA256|SHA384|SHA512. and SNMP v3 only: Privacy protocol (privProtocol) used to encrypt messages. Supported protocols are: DES|AES and since net-snmp 5.9.1: AES192|AES192C|AES256|AES256C. We can't monitoring the firewall with secure protocol

JLSTYLE avatar Jun 26 '25 10:06 JLSTYLE

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Nov 11 '25 07:11 OPNsense-bot