-
Change Request
-
Resolution: Fixed
-
Trivial
-
3.4.7
-
Linux
-
Sprint 56 (Sep 2019), Sprint 55 (Aug 2019), Sprint 54 (Jul 2019), Sprint 57 (Oct 2019), Sprint 58 (Nov 2019), Sprint 59 (Dec 2019), Sprint 60 (Jan 2020), Sprint 61 (Feb 2020)
I assume this applies to all versions of Zabbix that support PSK encryption.
PSK Identity must be unique across every host that has a different PSK Value.
Example:
host1.some.domain: PSK Identity: ZABBIX_AGENT PSK: 1234567890
host2.some.domain: PSK Identity: ZABBIX_AGENT PSK: 0987654321
This configuration will result in failures to communicate with both hosts. This might be as intended. If that is the case, the documentation needs to be much more explicit.
From the documentation: "Before Zabbix server connects to agent using PSK, the server looks up the PSK identity and PSK value configured for that agent in database (actually in configuration cache). Upon receiving a connection the agent uses PSK identity and PSK value from its configuration file. If both parties have the same PSK identity string and PSK value the connection may succeed."
This suggests that this is checked only at the agent level. However, the PSK Identity appears to be global in scope.
The additional caution in the documentation hints at this, but leaves it ambiguous. "It is a user responsibility to ensure that there are no two PSKs with the same identity string but different values. Failing to do so may lead to unpredictable disruptions of communication between Zabbix components using PSKs with this PSK identity string."
The documentation needs to explicitly state that for any given PSK Identity defined on the Zabbix Server that there can be only one paired PSK value. The only way to use the same PSK Identity on two or more hosts is to also use the same PSK value on those same hosts. As a best practice, the documentation should further suggest that every agent be assigned a unique PSK Identity and PSK value pair.