Gvm-cli and SNMPv3

I am attempting to add SNMPv3 credentials with gvm-cli (using xml).

Username/pwd creds work fine:

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<create_credential><name>"smb-cred_user"</name><type>up</type><login>"cred_user"</login><password>"cred_pwd"</password></create_credential>"

<create_credential_response status="201" status_text="OK, resource created" id="affba247-45c2-4ef0-9fe2-d9aa37b6dede"/>

Adding SNMP v1/2 (just a community string) works:

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<create_credential><name>"snmpv1-cred_snmp_community"</name><type>snmp</type><community>"communitystring"</community></create_credential>" 
<create_credential_response status="201" status_text="OK, resource created" id="b62b7e33-d4f2-4b6e-b26b-197f384bc8cf"/>

But when doing SNMPv3 with basic auth, I get an Invalid XML error:

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<create_credential><name>"snmpv3"</name><type>snmp</type><community>cred_snmp_community</community><login>"cred_user"</login><password>"cred_pwd"</password><auth_algorithm>md5</auth_algorighm></create_credential>"   

Invalid XML

If I exclude the auth_algorithm, I get a specific error back about that so I assume the XML is formatted ok.

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<create_credential><name>"snmpv3up-cred_snmp_community"</name><type>snmp</type><community>"cred_snmp_community"</community><login>"cred_user"</login><password>"cred_pwd"</password></create_credential>" 
ERROR:gvmtools.cli:Response Error 400. Selected type requires an auth_algorithm

I have tried with and without quotes, character escaping. No luck. I turned on debug logging for gvmd, but it looks like the XML is parsed/handled by gvm-client. I also tried turning on --log debug with gvm-client. It seems to just echo the xml that is sent in without any additional detail.

Any tips on how to properly format the xml string for SNMPv3?

Thanks.

Similar issues with delete_credential

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<delete_credential credential_id="267a3405-e84a-47da-97b2-5fa0d2e8995e"/>"
Invalid XML

The xml used is the example shown here:
https://docs.greenbone.net/API/GMP/gmp-21.04.html#command_delete_credential

There is a typo in your command: </auth_algorighm> should be </auth_algorithm>.

You should make sure to use different quotation marks for encapsulating the whole XML string as opposed to individual elements in it. E.g. --xml '<delete_credential credential_id="29543764-abfd-4dc1-9263-9f4676c4ca9b"/>' works.

2 Likes

Thanks for the help with that one. From testing, it appears that I can remove all the inner quotations. This works until a special character (>, <, &, ") is used within one of the values (like a password).

Will simply escaping the string work?

initial password value: passw>>or<d
escaped value: passw&gt;&gt;or&lt;d

ie:
<create_credential><name>smb-domain\username</name><type>up</type><allow_insecure>1</allow_insecure><login>domain\username</login><password>"passw&gt;&gt;or&lt;d"</password></create_credential>

It looks like sending the escaped password string (via xml) doesn’t work? Opening up the webui and entering a password with a < symbol in it works fine though. Any ideas regarding how I can get around this? Not opposed to using python for interacting with GVM if needed, but prefer plain bash/zsh.

pi@pi01:~ $ cat /var/log/auth.log | grep 192.168.0.1 | grep "failure"
Mar  2 10:08:55 pi01 sshd[4129472]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:08:55 pi01 sshd[4129475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:09:17 pi01 sshd[4129537]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:09:22 pi01 sshd[4129540]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:09:25 pi01 sshd[4129542]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:09:28 pi01 sshd[4129544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi
Mar  2 10:09:31 pi01 sshd[4129546]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1  user=pi

Possibly worth noting that if I attempt the same thing in the comment field, it works as expected (showing up properly in the UI and escaped when you request credentials via XML):

└─$ sudo runuser -u _gvm -- /usr/bin/gvm-cli --gmp-username admin --gmp-password admin socket --xml "<get_credentials/>"
<get_credentials_response status="200" status_text="OK"><credential id="a4d65d4f-07d3-4a18-b629-17f48b36232a"><owner><name>admin</name></owner><name>blahblah</name><comment>blah&lt;blah&gt;blah</comment>