How to rotate the snmpv3 user passwords?

zealfire · 31 March 2021 17:52

I have an SNMP config like this:

$config['snmp']['v3'][0]['authlevel'] = 'authPriv';
$config['snmp']['v3'][0]['authname'] = 'app';
$config['snmp']['v3'][0]['authpass'] = 'XYZ';
$config['snmp']['v3'][0]['authalgo'] = 'SHA';
$config['snmp']['v3'][0]['cryptopass'] = 'ABC';

And I am monitoring multiple clients using this user.

I was wondering how can I rotate authpass and cryptopass without librenms showing the client as being down?

Scenario 1:

First change passwords in librenms then my client will appear as down because of password mismatch

Scenario 2:

First change password in my clients then again librenms will see the clients as down because of password mismatch

Update:
I was wondering if this can this be done via creating two different users so while 1 user’s password is being rotated, librenms still is able to monitor correctly via 2nd user?

PipoCanaja · 31 March 2021 17:54

Hello,

Your answer is in the question … You have to change both at the same time. (Or put the device in maintenance mode while you change it)
And you have to change it for each and every device using it (at least that 's how it works for SNMP v2, I don’t know if SNMP v3 is different in that aspect). The initial setting is only for the discovery, but then credentials are stored per device.

I would personally do it with a SQL command or script, so each time I change the config on my a device, I run the SQL to change it in LibreNMS as well.

zealfire · 31 March 2021 17:58

Hi,
Problem is I have devices in thousands and using the same password for each device.
Using the current deployment process deploying on these many clients will take time due to which librenms will consider these machines as down.

PipoCanaja · 31 March 2021 18:01

As I told you, you cannot magically do things. So you will have to change the credential on the devices, and into LibreNMS. If it is too long to do it manually, do it with scripts.
And if you want to avoid alerts while the script is going on, put the device in maintenance before starting the script, so alerts will be avoided.

zealfire · 31 March 2021 18:34

Hi @PipoCanaja,
Do you know if this can be done via creating two different users so while 1 user’s password is being rotated, librenms still is able to monitor correctly via 2nd user?

PipoCanaja · 31 March 2021 18:37

Only one user is used by LibreNMS, for each device. So as long as your device replies with this user, LibreNMS is fine, as soon as it stops responding LibreNMS will find it not responding.
Of course if your device can have multiple snmpv3 communities defined, then you don’t have any problem doing your change. But I assumed your devices cannot have more than 1 community if you asked

system · 1 July 2021 00:37

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.