Using Passwords from the password store for device setup?

Bae-ver · March 18, 2024, 1:01pm

Hi, I did a search for some known passwords and usernames and noticed that checkmk seems to store them all in clear text files!

I read up about using the password store to combat this issue and created a test password in it, but when I go to my snmpv3 device’s host settings page, I don’t seem to have an option to select anything from the store.

Have I missed a step somewhere?

Attempted on both: OMD - Open Monitoring Distribution Version 2.1.0p26.cfe and Open Monitoring Distribution Version 2.2.0p13.cre

aeckstein · March 18, 2024, 3:44pm

Hi bae-ver,

unfortunately the password store can not be used for snmp Passwords currently.

You can vote for this idea :

Bae-ver · March 18, 2024, 3:56pm

Thank you Andre, I have voted

Anders · March 18, 2024, 10:05pm

if you use the password store your passwords will still be stored in a way that the secret can be retrieved how else would checkmk know the password…?

the password store just makes it more convent for users

Bae-ver · March 19, 2024, 8:09am

Hi Anders,

If it was just for convenience, there would be no need for encryption! I have to encrypt my passwords, even if the password that decrypts them is stored in clear text.

Anders · March 20, 2024, 5:31pm

Hi,
I’d recommend watching some of the talks from previous checkmk tech conferences. Checkmk wants to store the passwords in clear text so not confuse anyone that Checkmk somehow magically managed to store passwords using one-way encryption.

This was very clear when the “password store” where introduced as well, that this is not a place where you can securely store your passwords. The purpose is mainly that user A needs to perform a task, let’s say he/she needs to add a new networking switch. With a password store for SNMP Admin A could create that password/community and share it with the team user A is part of, without having to share the actual secret.

As Checkmk is open source you can easily decrypt the password at any point in time, so if you think you can store your LDAP password there, for example, to connect to, lets say an vCenter host you should think twice about that…

Bae-ver · March 21, 2024, 9:49am

Hi Anders,

I read the release for the password store and I understand that CheckMk needs access to passwords in clear text to monitor devices.

I also get the irony of ever considering storing passwords in a file called ‘stored_passwords’ and then storing the password that decrypts it, in clear text, within a file called ‘password_store.secret’, as secure!

I just have a ‘Does product store passwords in clear text’ checkbox that needs a yes or a no and I have to reach out to suppliers when I think the answer is no.

Thanks for your help, appreciated