Net-SNMP Tutorial -- SNMPv3 Options
Net-SNMP Tutorial -- SNMPv3 Options
Introduction
The 3rd version of the SNMP protocol introduced a whole slew of
new security related features that have been missing from the
previous versions. In SNMPv1 and SNMPv2c, a simple community
string was put in clear text into the packet to authenticate the
request. This is obviously highly insecure. (If its not
obvious, then just trust me).
SNMPv3 introduces advanced security which splits the
authentication and the authorization into two pieces:
- The USM is the default
Security Module (and the only one we currently support).
The U stands for User-based, as it is contains a
list of users and their attributes. The USM is described by RFC 2574.
- The VACM is the Version-based Access Control Module
and controls which users (and SNMPv1/v2c communities as well)
are allowed to access and how they can access sections of the
MIB tree. The VACM is described by RFC 2575.
This document will discuss how to use the net-snmp tools to get
and set data from a remote host.
Users
A user's profile contains the following data:
% snmptranslate -Tp -IR usmUserTable
+--usmUserTable(2)
|
+--usmUserEntry(1)
|
+-- ---- String usmUserEngineID(1)
| Textual Convention: SnmpEngineID
| Size: 5..32
+-- ---- String usmUserName(2)
| Textual Convention: SnmpAdminString
| Size: 1..32
+-- -R-- String usmUserSecurityName(3)
| Textual Convention: SnmpAdminString
| Size: 0..255
+-- CR-- ObjID usmUserCloneFrom(4)
| Textual Convention: RowPointer
+-- CR-- ObjID usmUserAuthProtocol(5)
| Textual Convention: AutonomousType
+-- CR-- String usmUserAuthKeyChange(6)
| Textual Convention: KeyChange
+-- CR-- String usmUserOwnAuthKeyChange(7)
| Textual Convention: KeyChange
+-- CR-- ObjID usmUserPrivProtocol(8)
| Textual Convention: AutonomousType
+-- CR-- String usmUserPrivKeyChange(9)
| Textual Convention: KeyChange
+-- CR-- String usmUserOwnPrivKeyChange(10)
| Textual Convention: KeyChange
+-- CR-- String usmUserPublic(11)
| Size: 0..32
+-- CR-- EnumVal usmUserStorageType(12)
| Textual Convention: StorageType
| Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5)
+-- CR-- EnumVal usmUserStatus(13)
Textual Convention: RowStatus
Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6)
Well, thats nice but what does it mean?
To summarize the most importantly each user has a name (called
a securityName) an authentication type
(authProtocol) and a privacy type (privProtocol)
as well as associated keys for each of these (authKey and
privKey).
Authentication is performed by using a users authKey to
sign the message being sent. The authProtocol can be
either MD5 or SHA at this time. authKeys
(and privKeys) are generated from a passphrase that must
be at least 8 characters in length.
Authentication is performed by using a users privKey to
encrypt the data portion the message being sent. The
privProtocol can be either AES or DES.
Messages can be be sent unauthenticated, authenticated, or
authenticated and encrypted by setting the securityLevel
to use.
All of this information is passed to commands using the command
line arguments described in the table below. Additionally, you
can put default values in your ~/.snmp/snmp.conf files using the
tokens specified in the 3rd column.
Parameter | Command Line Flag | snmp.conf token |
securityName | -u NAME | defSecurityName NAME |
authProtocol | -a (MD5|SHA) | defAuthType (MD5|SHA) |
privProtocol | -x (AES|DES) | defPrivType DES |
authKey | -A PASSPHRASE | defAuthPassphrase PASSPHRASE |
privKey | -X PASSPHRASE | defPrivPassphrase PASSPHRASE |
securityLevel | -l (noAuthNoPriv|authNoPriv|authPriv) | defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv) |
context | -n CONTEXTNAME | defContext CONTEXTNAME |
Examples
Here is a completely unauthenticated request (which still
needs a user name, none the less):
% snmpgetnext -v 3 -n "" -u noAuthUser -l noAuthNoPriv test.net-snmp.org sysUpTime
system.sysUpTime.0 = Timeticks: (83467131) 9 days, 15:51:11.31
Here is a authenticated request:
% snmpgetnext -v 3 -n "" -u MD5User -a MD5 -A "The Net-SNMP Demo Password" -l authNoPriv test.net-snmp.org sysUpTime
system.sysUpTime.0 = Timeticks: (83491735) 9 days, 15:55:17.35
And finally, here is an authenticated and encrypted request:
% snmpgetnext -v 3 -n "" -u MD5DESUser -a MD5 -A "The Net-SNMP Demo Password" -x DES -X "The Net-SNMP Demo Password" -l authPriv test.net-snmp.org system
system.sysUpTime.0 = Timeticks: (83493111) 9 days, 15:55:31.11
Of course, they don't look much different since they all
worked identically. But, the host above allows us to look at it
using any level of authentication. Any hosts you set up should be
more restricted than that and require at least a level of
authNoPriv when you configure the VACM access control.
Finally, consider a snmp.conf file that looks like this:
defContext none
defSecurityName MD5User
defAuthPassphrase The Net-SNMP Demo Password
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv
This sets up the defaults for you so that your snmp commands can
boil down to something as simple as:
% snmpgetnext test.net-snmp.org sysUpTime
system.sysUpTime.3.0 = Timeticks: (83517052) 9 days, 15:59:30.52
Or:
% snmpset test.net-snmp.org ucdDemoPublicString.0 s "I changed something"
enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"
Then:
% snmpget test.net-snmp.org ucdDemoPublicString.0
enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"
Page
Last modified: Wednesday, 01-Aug-2018 04:41:28 UTC
For questions regarding web content and site functionality, please write to the net-snmp-users mail list.
|