«Error: passphrase chosen is below the length requirements of the USM (min=8)» is shown even though the passphrase length is sufficient |
Technical Level
|
Solution ID | sk172066 |
Technical Level | |
Product | Quantum Security Gateways |
Version | All |
OS | Gaia |
Platform / Model | All |
Date Created |
2021-02-17 00:00:00.0 |
Last Modified | 2021-02-17 23:36:56.0 |
Symptoms
- When running snmpwalk locally on a gateway for SNMP v3, you see the following error:
«Error: passphrase chosen is below the length requirements of the USM (min=8)» even though the passphrase meets the minimum requirement of 8 characters. - Monitoring systems might reach OIDs but get no information.
Cause
SNMP v3 passphrase does not support special characters such as ! and $
Solution
Set a new SNMP v3 passphrase that excludes special characters.
Related solutions:
- sk90860 — How to configure SNMP on Gaia OS
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios. |
Bug 854925
— SNMP failed to auth if the password have space
Summary:
SNMP failed to auth if the password have space
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
- Board index ‹ Community Support Forums For Nagios Commercial Products ‹ Nagios XI
Commercial Support Clients: Clients with support contracts can get escalated support assistance by visiting Nagios Answer Hub. These forums are for community support services. Although we at Nagios try our best to help out on the forums here, we always give priority support to our support clients.
Re: SNMP Password limitation
well…
Got them to change the password, and replaced the ( with a —
I removed all the items out of XI, and re-ran the wizard.
For the port status, I am getting.
- Code: Select all
Usage /usr/local/nagios/libexec/check_ifoperstatnag:
Check_ifoperstatus requires that the first argument be the interface index that this interface can be found at under the remote devices snmp tree.
This should always be a positive integer, or zero.
All options beyond the first, are arguments that must follow the snmpget command line parameters.
The settings are the same as before, just a different password now.
would any of these characters be the issue:
- Code: Select all
k%pLZ-J
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Re: SNMP Password limitation
by Box293 » Thu Feb 12, 2015 7:55 pm
What happens if you try from the CLI?
I have a feeling the length needs to be 8, yours is 7.
Length: 7
- Code: Select all
./check_ifoperstatnag 16797696 -v3 -u sanswitchmonitor.svc -A k%pLZ-J -a MD5 -l authNoPriv 10.25.5.15
No log handling enabled - turning on stderr logging
Error: passphrase chosen is below the length requirements of the USM (min=8).
snmpwalk: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied authentication pass phrase.
No log handling enabled - turning on stderr logging
Error: passphrase chosen is below the length requirements of the USM (min=8).
snmpget: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied authentication pass phrase.
UNKNOWN - No info is being retrieved.
Length: 8
- Code: Select all
./check_ifoperstatnag 16797696 -v3 -u sanswitchmonitor.svc -A k%pLZ-Ja -a MD5 -l authNoPriv 10.25.5.15
No log handling enabled - turning on stderr logging
snmpwalk: Timeout (Sub-id not found: (top) -> ifOperStatus)
No log handling enabled - turning on stderr logging
snmpget: Timeout (Sub-id not found: (top) -> ifDescr)
UNKNOWN - No info is being retrieved.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
Box293 - Too Basu
- Posts: 5126
- Joined: Sun Feb 07, 2010 10:55 pm
- Location: Deniliquin, Australia
-
- Website
Re: SNMP Password limitation
by JohnFLi » Fri Feb 13, 2015 11:05 am
I dont understand what you mean a length of 8??
From the cli
- Code: Select all
./check_ifoperstatnag 16801792 -v3 -u sanswitchmonitor.svc -A k%pLk304UZ-J -a MD5 -l authNoPriv -H dc-n5k-s2
Usage ./check_ifoperstatnag: <interface index> <snmpget options>
Check_ifoperstatus requires that the first argument be the interface index that this interface can be found at under the remote devices snmp tree.
This should always be a positive integer, or zero.
All options beyond the first, are arguments that must follow the snmpget command line parameters.
[root@G1VPNAG03 libexec]#
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Re: SNMP Password limitation
by JohnFLi » Fri Feb 13, 2015 1:34 pm
The passphrase is 12 in length.
I was just shortening the password for posting
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Re: SNMP Password limitation
by scottwilkerson » Fri Feb 13, 2015 2:54 pm
2 more things, canyou attempt quoting the password and run from the CLI
- Code: Select all
./check_ifoperstatnag 16801792 -v3 -u sanswitchmonitor.svc -A "k%pLk304UZ-J" -a MD5 -l authNoPriv -H dc-n5k-s2
Also, can you verify what version of the Switch/Router Wizard you are running from Admin -> Manage Config Wizards
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
- scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
Re: SNMP Password limitation
by tgriep » Fri Feb 13, 2015 2:56 pm
Could you run the following command and post back the walk.txt file?
- Code: Select all
snmpwalk dc-n5k-s2 -v3 -u sanswitchmonitor.svc -A k%pLk304UZ-J -a MD5 -l authNoPriv >walk.txt
Which interface are you trying to monitor?
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
tgriep - Madmin
- Posts: 9157
- Joined: Thu Oct 30, 2014 9:02 am
Re: SNMP Password limitation
by JohnFLi » Fri Feb 13, 2015 4:10 pm
Scott——- Network Switch/Router version 2.15
- Code: Select all
[root@G1VPNAG03 libexec]# ./check_ifoperstatnag 16801792 -v3 -u sanswitchmonitor.svc -A "k%pLk304UZ-J" -a MD5 -l authNoPriv -H dc-n5k-s2
Usage ./check_ifoperstatnag: <interface index> <snmpget options>
Check_ifoperstatus requires that the first argument be the interface index that this interface can be found at under the remote devices snmp tree.
This should always be a positive integer, or zero.
All options beyond the first, are arguments that must follow the snmpget command line parameters.
TGRIEP ———
see attached file
You do not have the required permissions to view the files attached to this post.
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Re: SNMP Password limitation
by JohnFLi » Fri Feb 13, 2015 4:38 pm
I just ran across http://support.nagios.com/forum/viewtopic.php?f=16&t=30816
when it said to open the check_ifoperstatusnag file
and change
- Code: Select all
if test -z "$1" || ! [[ "$1" =~ '^[0-9]+$' ]]; then
to
if test -z "$1" || ! [[ "$1" =~ ^[0-9]+$ ]]; then
now I get
- Code: Select all
[root@G1VPNAG03 libexec]# ./check_ifoperstatnag 16801792 -v3 -u sanswitchmonitor.svc -A "k%pLk304UZ-J" -a MD5 -l authNoPriv -H dc-n5k-s2
Configuration directives understood:
No log handling enabled - turning on stderr logging
In snmp.conf and snmp.local.conf:
alias NAME TRANSPORT_DEFINITION
doDebugging (1|0)
debugTokens token[,token...]
logTimestamp (1|yes|true|0|no|false)
mibdirs [mib-dirs|+mib-dirs|-mib-dirs]
mibs [mib-tokens|+mib-tokens]
mibfile mibfile-to-read
showMibErrors (1|yes|true|0|no|false)
commentToEOL (1|yes|true|0|no|false)
strictCommentTerm (1|yes|true|0|no|false)
mibAllowUnderline (1|yes|true|0|no|false)
mibWarningLevel integerValue
mibReplaceWithLatest (1|yes|true|0|no|false)
printNumericEnums (1|yes|true|0|no|false)
printNumericOids (1|yes|true|0|no|false)
escapeQuotes (1|yes|true|0|no|false)
dontBreakdownOids (1|yes|true|0|no|false)
quickPrinting (1|yes|true|0|no|false)
numericTimeticks (1|yes|true|0|no|false)
oidOutputFormat integerValue
suffixPrinting integerValue
extendedIndex (1|yes|true|0|no|false)
printHexText (1|yes|true|0|no|false)
printValueOnly (1|yes|true|0|no|false)
dontPrintUnits (1|yes|true|0|no|false)
hexOutputLength integerValue
dumpPacket (1|yes|true|0|no|false)
reverseEncodeBER (1|yes|true|0|no|false)
defaultPort integerValue
defCommunity string
noTokenWarnings (1|yes|true|0|no|false)
noRangeCheck (1|yes|true|0|no|false)
persistentDir string
tempFilePattern string
noDisplayHint (1|yes|true|0|no|false)
16bitIDs (1|yes|true|0|no|false)
clientaddr string
clientaddrUsesPort (1|yes|true|0|no|false)
serverSendBuf integerValue
serverRecvBuf integerValue
clientSendBuf integerValue
clientRecvBuf integerValue
noPersistentLoad (1|yes|true|0|no|false)
noPersistentSave (1|yes|true|0|no|false)
noContextEngineIDDiscovery (1|yes|true|0|no|false)
defDomain application domain
defTarget application domain target
defSecurityModel string
defSecurityName string
defContext string
defPassphrase string
defAuthPassphrase string
defPrivPassphrase string
defAuthMasterKey string
defPrivMasterKey string
defAuthLocalizedKey string
defPrivLocalizedKey string
defVersion 1|2c|3
defAuthType MD5|SHA
defPrivType DES|AES
defSecurityLevel noAuthNoPriv|authNoPriv|authPriv
In snmpapp.conf and snmpapp.local.conf:
defDomain application domain
defTarget application domain target
engineID string
engineIDType num
engineIDNic string
Configuration directives understood:
No log handling enabled - turning on stderr logging
In snmp.conf and snmp.local.conf:
alias NAME TRANSPORT_DEFINITION
doDebugging (1|0)
debugTokens token[,token...]
logTimestamp (1|yes|true|0|no|false)
mibdirs [mib-dirs|+mib-dirs|-mib-dirs]
mibs [mib-tokens|+mib-tokens]
mibfile mibfile-to-read
showMibErrors (1|yes|true|0|no|false)
commentToEOL (1|yes|true|0|no|false)
strictCommentTerm (1|yes|true|0|no|false)
mibAllowUnderline (1|yes|true|0|no|false)
mibWarningLevel integerValue
mibReplaceWithLatest (1|yes|true|0|no|false)
printNumericEnums (1|yes|true|0|no|false)
printNumericOids (1|yes|true|0|no|false)
escapeQuotes (1|yes|true|0|no|false)
dontBreakdownOids (1|yes|true|0|no|false)
quickPrinting (1|yes|true|0|no|false)
numericTimeticks (1|yes|true|0|no|false)
oidOutputFormat integerValue
suffixPrinting integerValue
extendedIndex (1|yes|true|0|no|false)
printHexText (1|yes|true|0|no|false)
printValueOnly (1|yes|true|0|no|false)
dontPrintUnits (1|yes|true|0|no|false)
hexOutputLength integerValue
dumpPacket (1|yes|true|0|no|false)
reverseEncodeBER (1|yes|true|0|no|false)
defaultPort integerValue
defCommunity string
noTokenWarnings (1|yes|true|0|no|false)
noRangeCheck (1|yes|true|0|no|false)
persistentDir string
tempFilePattern string
noDisplayHint (1|yes|true|0|no|false)
16bitIDs (1|yes|true|0|no|false)
clientaddr string
clientaddrUsesPort (1|yes|true|0|no|false)
serverSendBuf integerValue
serverRecvBuf integerValue
clientSendBuf integerValue
clientRecvBuf integerValue
noPersistentLoad (1|yes|true|0|no|false)
noPersistentSave (1|yes|true|0|no|false)
noContextEngineIDDiscovery (1|yes|true|0|no|false)
defDomain application domain
defTarget application domain target
defSecurityModel string
defSecurityName string
defContext string
defPassphrase string
defAuthPassphrase string
defPrivPassphrase string
defAuthMasterKey string
defPrivMasterKey string
defAuthLocalizedKey string
defPrivLocalizedKey string
defVersion 1|2c|3
defAuthType MD5|SHA
defPrivType DES|AES
defSecurityLevel noAuthNoPriv|authNoPriv|authPriv
In snmpapp.conf and snmpapp.local.conf:
defDomain application domain
defTarget application domain target
engineID string
engineIDType num
engineIDNic string
./check_ifoperstatnag: line 40: [: -eq: unary operator expected
Configuration directives understood:
No log handling enabled - turning on stderr logging
In snmp.conf and snmp.local.conf:
alias NAME TRANSPORT_DEFINITION
doDebugging (1|0)
debugTokens token[,token...]
logTimestamp (1|yes|true|0|no|false)
mibdirs [mib-dirs|+mib-dirs|-mib-dirs]
mibs [mib-tokens|+mib-tokens]
mibfile mibfile-to-read
showMibErrors (1|yes|true|0|no|false)
commentToEOL (1|yes|true|0|no|false)
strictCommentTerm (1|yes|true|0|no|false)
mibAllowUnderline (1|yes|true|0|no|false)
mibWarningLevel integerValue
mibReplaceWithLatest (1|yes|true|0|no|false)
printNumericEnums (1|yes|true|0|no|false)
printNumericOids (1|yes|true|0|no|false)
escapeQuotes (1|yes|true|0|no|false)
dontBreakdownOids (1|yes|true|0|no|false)
quickPrinting (1|yes|true|0|no|false)
numericTimeticks (1|yes|true|0|no|false)
oidOutputFormat integerValue
suffixPrinting integerValue
extendedIndex (1|yes|true|0|no|false)
printHexText (1|yes|true|0|no|false)
printValueOnly (1|yes|true|0|no|false)
dontPrintUnits (1|yes|true|0|no|false)
hexOutputLength integerValue
dumpPacket (1|yes|true|0|no|false)
reverseEncodeBER (1|yes|true|0|no|false)
defaultPort integerValue
defCommunity string
noTokenWarnings (1|yes|true|0|no|false)
noRangeCheck (1|yes|true|0|no|false)
persistentDir string
tempFilePattern string
noDisplayHint (1|yes|true|0|no|false)
16bitIDs (1|yes|true|0|no|false)
clientaddr string
clientaddrUsesPort (1|yes|true|0|no|false)
serverSendBuf integerValue
serverRecvBuf integerValue
clientSendBuf integerValue
clientRecvBuf integerValue
noPersistentLoad (1|yes|true|0|no|false)
noPersistentSave (1|yes|true|0|no|false)
noContextEngineIDDiscovery (1|yes|true|0|no|false)
defDomain application domain
defTarget application domain target
defSecurityModel string
defSecurityName string
defContext string
defPassphrase string
defAuthPassphrase string
defPrivPassphrase string
defAuthMasterKey string
defPrivMasterKey string
defAuthLocalizedKey string
defPrivLocalizedKey string
defVersion 1|2c|3
defAuthType MD5|SHA
defPrivType DES|AES
defSecurityLevel noAuthNoPriv|authNoPriv|authPriv
In snmpapp.conf and snmpapp.local.conf:
defDomain application domain
defTarget application domain target
engineID string
engineIDType num
engineIDNic string
UNKNOWN - No info is being retrieved.
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Re: SNMP Password limitation
by JohnFLi » Fri Feb 13, 2015 5:03 pm
So now that I am not getting an error….
For Bandwidth on the ports, it all shows ZEROS
You do not have the required permissions to view the files attached to this post.
Everybody is somebody else’s weirdo
-
JohnFLi - Posts: 488
- Joined: Mon Jun 17, 2013 3:11 pm
Return to Nagios XI
Who is online
Users browsing this forum: No registered users and 17 guests
Мы получили эту ошибку при выполнении этой команды:
[cacti ~]$ snmpwalk -v 3 -a MD5 -u super -x AES -X AAAAAA 10.X.X.X
2011-01-20 16:58:12 Error: passphrase chosen is below the length requirements of the USM (min=8).
2011-01-20 16:58:12 snmpwalk: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied privacy pass phrase.
У вас есть идеи, как уменьшить параметр длины USM? Мы не можем изменить пароль длиной менее 8 символов.
1 ответы
Вы боретесь с IETF RFC, если настаиваете на использовании короткой парольной фразы,
https://www.rfc-editor.org/rfc/rfc3414
Если используется алгоритм Приложения A, реализации SNMP (и приложения для настройки SNMP) должны гарантировать, что пароли имеют длину не менее 8 символов.
Это стандарт, поэтому ваш единственный выбор — использовать достаточно длинную парольную фразу.
Для AES рекомендуемая длина парольной фразы составляет 12,
http://www.ietf.org/rfc/rfc3826.txt
В отношении паролей пользователей рекомендуется следующее:
- Длина пароля ДОЛЖНА быть не менее 12 октетов.
- Совместное использование паролей СЛЕДУЕТ запретить, чтобы пароли не использовались несколькими пользователями SNMP.
- Реализациям СЛЕДУЕТ поддерживать использование случайно сгенерированных паролей в качестве более надежной формы безопасности.
ответ дан 07 окт ’21, 07:10
Не тот ответ, который вы ищете? Просмотрите другие вопросы с метками
snmp
passphrase
or задайте свой вопрос.
Moderators: Developers, Moderators
-
nik600
- Posts: 14
- Joined: Sat Feb 25, 2006 5:48 am
password error with poller.php
hi
i’m trying to install and configure cacti on a Fedora Core2
i’ve installed rrdttool from rpm and net-snmp-5.3.0.1
i’ve created
/etc/snmpd/snmpd.conf
and i’ve started snmpd
i’ve setup localhost as a generic linux host template
then i run:
php poller.php
and i get:
Code: Select all
Error: passphrase chosen is below the length requirements of the USM (min=8).
/usr/local/bin/snmpget: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied authentication pass phrase.
02/25/2006 11:47:53 AM - SYSTEM STATS: Time:1.0216 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:12 RRDsProcessed:0
-
nik600
- Posts: 14
- Joined: Sat Feb 25, 2006 5:48 am
Post
by nik600 » Sat Feb 25, 2006 1:59 pm
sorry…i was using an errate configuration
-
nik600
- Posts: 14
- Joined: Sat Feb 25, 2006 5:48 am
Post
by nik600 » Sun Feb 26, 2006 7:44 am
i don’t understand… now the error is come back…
what can i do?
how can i disable authentication?
-
flucht
- Posts: 14
- Joined: Wed May 03, 2006 7:56 am
- Location: paris, france
- Contact:
Post
by flucht » Mon May 22, 2006 4:00 am
Have you found your error finally?
Because I got the same
Or has anyone got an idea?
-
flucht
- Posts: 14
- Joined: Wed May 03, 2006 7:56 am
- Location: paris, france
- Contact:
Post
by flucht » Mon May 22, 2006 7:28 am
for those who might meet this error,
try to start mysql with the user you put all the rights for cacti, and not mysql (the user you created for the installation)
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
-
Contact:
Post
by rony » Mon May 22, 2006 8:04 am
flucht wrote:for those who might meet this error,
try to start mysql with the user you put all the rights for cacti, and not mysql (the user you created for the installation)
That should have no affect.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
flucht
- Posts: 14
- Joined: Wed May 03, 2006 7:56 am
- Location: paris, france
- Contact:
Post
by flucht » Mon May 22, 2006 9:52 am
It had one on mine, because following the manual, i didn’t put the rights to the user «mysql» to the database I created for cacti.
Who is online
Users browsing this forum: No registered users and 1 guest