Create SNMPv3 user with keys (hashes) in lieu of passphrases #172
Description
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 5.5.x
- Ruby: 2.4.4
- Distribution: CentOS 7, CentOS 6
- Module version: v4.1.0
How to reproduce (e.g Puppet code you use)
snmp::snmpv3_user only allows a user to be specified with plain text authpass and privpass passphrases. This means that these passphrases will exist in either a Puppet manifest or a Hieradata file. That persistence has been identified as a security risk.
Per the snmpd.conf man page, the createUser directive used in https://github.com/voxpupuli/puppet-snmp/blob/v4.1.0/manifests/snmpv3_user.pp#L42 and https://github.com/voxpupuli/puppet-snmp/blob/v4.1.0/manifests/snmpv3_user.pp#L43 does have a form that allows the passphrase hashes to be specified instead of the passphrases. That form requires the use of the '-l' or '-m' options.
Unfortunately, I cannot see a way to specify/inject those options in the existing sinmp::snmpv3_user code.
What are you seeing
Plain text passphrases persisted in manifests or Hieradata files.
What behaviour did you expect instead
Ability to add a user with hashed passphrases instead of plain text passphrases, so that hashed passphrases are persisted in manifests or Hieradata files.
Also, since the logic to generate these salted hashes is already available in a combination of the snmpv3_user fact and the snmp::snmpv3_usm_hash function, as a bonus, it would be really helpful if that code was also packaged a standalone salted-hash-generator script.
Output log
N/A