SNMP_Exporter has trouble with passphrases that contain special chars?

[alanrellek]

Host operating system: output of uname -a

Linux 3.10.0-1062.9.1.el7.x86_64 #1 SMP Mon Dec 2 08:31:54 EST 2019 x86_64 x86_64 x86_64 GNU/Linux

snmp_exporter version: output of snmp_exporter -version

snmp_exporter-0.16.1.linux-amd64

What device/snmpwalk OID are you using?

Linux 3.10.0-1062.9.1.el7.x86_64 #1 SMP Mon Dec 2 08:31:54 EST 2019 x86_64 x86_64 x86_64 GNU/Linux

If this is a new device, please link to the MIB(s).

No MIBs involved, snmpv3 authentication problem

What did you do that produced an error?

Used following config lines containing a password with special chars

module_1:
    walk:
       - 1.3.6.1.2.1.1.5 #sysName snmp default
       - 1.3.6.1.2.1.1.1 #sysDescr snmp default
       - 1.3.6.1.2.1.1.3 # sysUptime snmp default
    version: 3
    max_repetitions: 5
    retries: 1
    timeout: 1s
    auth:
      security_level: authPriv
      username: exporter
      password: "MXqg2&PhGRRo&acUU3co9*bGp"
      auth_protocol: SHA
      priv_protocol: AES
      priv_password: "9UdkvE$k&UmDZc5boLUAe4jKE"

What did you expect to see?

Authentication on network device succeeds. Data is being polled.

What did you see instead?

No data being polled.
Raised Loglevel for net-snmp on network device.
Logs showed some sort of usmUnknownEngineID error.

What did I try to verify claim:

Created multiple snmpv3 users with different passwords.
All user passwords which did NOT contain any special characters (only alphanumeric characters) worked fine.
All user passwords which contained special characters would fail to authenticate.

We excluded the possibility of the error originating from the syntax from the YAML file because we did every test with and without quotation marks.

The following example works perfectly fine:

  module_2:
    walk:
       - 1.3.6.1.2.1.1.5 #sysName snmp default
       - 1.3.6.1.2.1.1.1 #sysDescr snmp default
       - 1.3.6.1.2.1.1.3 #sysUptime snmp default
    version: 3
    max_repetitions: 5
    retries: 1
    timeout: 1s
    auth:
      security_level: authPriv
      username: exporter
      password: Q2otF8LjGkqzNuYVEY6xSZYzs
      auth_protocol: SHA
      priv_protocol: AES
      priv_password: U88qFW9a2dFYiwvqcyLjNyKLp

[brian-brazil]

Hmm, if it's not due to YAML then it's likely an issue with the upstream library - though it might also be the device. Can you check with tcpdump?

[SuperQ]

I tested the example special character v3 config against my Netgear GS310TP. No issues.

[alanrellek]

Hey Brian
The Issue is not very urgent nor important (to us) because we can still use passphrases with an entropy high enough to fit our standards.
I am currently very busy but I will provide the output of the tcpdump we did asap.
Cheers

Hmm, if it's not due to YAML then it's likely an issue with the upstream library - though it might also be the device. Can you check with tcpdump?

[brian-brazil]

The evidence indicates that this is an issue with your device rather than with the exporter or our upstream.

[brian-brazil]

Closing per above, this appears to be a local configuration issue.