SNMP Community String

Asked by Michael Keane on 2018-09-26

What is the proper way of setting a local SNMP community string to something other than the default value of "public" in HPLIP (io/hpmud in particular)

I have my SNMP community string set correctly in /etc/cups/snmp.conf and CUPS "works" with the ipp backend but not the hp backend

The HPLIP tools (hp-makeuri and and hp-check in particular) fail and when they do I can see using Wireshark that those tools are sending out an SNMP read with the default SNMP community string of "public" which then fails to produce any response and results in a timeout. Likewise print jobs are failing for the same reason. as an SNMP read with a community string of "public" is being sent (probably as an "R U There" check of aliveness / connectivity prior to sending of the print job but I didn't follow that case all the way through the code)

The only way that I could make printing using HPLIP and the hp backend work was to go into io/hpmud/hpmudi.h and enter my SNMP community string as one of the values of SnmpPort[] as a replacement for "public"

This was hplip-3.18.9

Thanks,
MK

Question information

Language:
English Edit question
Status:
Answered
For:
HPLIP Edit question
Assignee:
No assignee Edit question
Last query:
2018-10-03
Last reply:
2018-10-18
srinivas (srinivas5) said : #1

Hi,
Can you let us know why you want to change the default values in the SnmpPort[] in hpmudi.h file?

Regards,
Srinivas Teja

Michael Keane (k1mk) said : #2

My question was how does one specify a non-default SNMP community name
in HPLIP?

The only way I found that I could get HPLIP to work on our corporate
network was by changing the default value in the SnmpPort[] in hpmudi.h
There should be some better mechanism for specifying a non-default SNMP
community name than having to build a custom version, no?

Background here is CVE-1999-0517
<https://nvd.nist.gov/vuln/detail/CVE-1999-0517>

Corporate security policy is to use a SNMP commuity name that is not the
default (e.g. "public"). The reason being that one is unable to pass a
PCI DSS-compliance network scan if there are devices on the network with
a SNMP community name of "public"

-- MK

On 10/3/18 7:03 AM, srinivas wrote:
> Your question #674446 on HPLIP changed:
> https://answers.launchpad.net/hplip/+question/674446
>
> Status: Open => Answered
>
> srinivas proposed the following answer:
> Hi,
> Can you let us know why you want to change the default values in the SnmpPort[] in hpmudi.h file?
>
> Regards,
> Srinivas Teja
>

--
  Michael Keane, K1MK
  IT Manager
  ARRL, The National Association for Amateur Radioâ„¢
  225 Main Street, Newington, CT 06111-1494 USA
  Telephone: (860) 594-0285
  email: <email address hidden>

srinivas (srinivas5) said : #3

we will discuss this with team and get back.

Can you help with this problem?

Provide an answer of your own, or ask Michael Keane for more information if necessary.

To post a message you must log in.