Call for testers: SNMPv3 support for bsnmpd(1)

From: Shteryana Shopova <syrinx_at_FreeBSD.org>
Date: Thu, 28 Oct 2010 21:19:37 +0300
Dear all,

I am happy to announce that work on SNMPv3 support for bsnmpd(1) is
now completed and ready for testing. I want to thank the FreeBSD
Foundation for funding this work. A quick how-to get started with the
changes bsnmpd(1) follows.

The patch against FreeBSD current sources is available under
http://people.freebsd.org/~syrinx/snmp/svn-snmpd-20101028-02.diff.

To compile && install the sources

#cd <freebsd-sources direktory>
#fetch http://people.freebsd.org/~syrinx/snmp/svn-snmpd-20101028-02.diff
#mkdir contrib/bsnmp/snmp_vacm && mkdir contrib/bsnmp/snmp_usm &&
mkdir usr.sbin/bsnmpd/tools && mkdir usr.sbin/bsnmpd/tools/bsnmptools
&& mkdir usr.sbin/bsnmpd/tools/libbsnmptools && mkdir
usr.sbin/bsnmpd/modules/snmp_vacm && mkdir
usr.sbin/bsnmpd/modules/snmp_usm
#patch < svn-snmpd-20101028-02.diff
#<compile && install world and kernel>

The patch contains all changes made to support SNMPv3 in bsnmpd(1) and
also bsnmpdtools(1) that were initially developed during Google's
Summer of Code 2005 and later together with bsnmpd(1) enhanced to
support SNMPv3 encryption and authentication.
After the implemented changes bsnmpd(1) should be compatible with old
configuration files and unless explicitly specified in its
configuration file, it should also retain its current behavior. By
default, all SNMP versions are enabled, however as there are no SNMPv3
USM users defined, SNMPv3 packets are silently dropped. To be able to
configure SNMPv3 users View-based access rules one needs to load two
additional modules in bsnmpd(1) that are not loaded by default -
snmp_usm(1) and snmp_vacm(1). This is done by adding the following
lines in bsnmpd.config

# SNMPv3 User-based security module - must be loaded for SNMPv3 USM
begemotSnmpdModulePath."usm"   = "/usr/lib/snmp_usm.so"

# SNMPv3 View-based Access Control module
begemotSnmpdModulePath."vacm"  = "/usr/lib/snmp_vacm.so"


The objects from SNMP-FRAMEWORK-MIB (snmpEngineID, snmpEngineBoots,
snmpEngineTime and snmpEngineMaxMessageSize) are mandatory for an SNMP
agent compliant with the SNMPv3 Framework and are supported by
bsnmpd(1). A administrative value for the snmpEngineID may be
specified via the daemon's configuration file , for example

# The SNMP engine ID
engine := 0x80:0x00:0x1f:0x88:0x80:0x91:0x04:0xc9:0x0f:0x67:0xe9:0x5b:0x4c
snmpEngineID    = $(engine)

If not present, a default value is assigned to the object based on
host id, where bsnmpd(1) is running.
SNMPv1 and SNMPv2 communities definitions in the config file have not changes.
Definition of SNMPv3 users is done in the usm section of the
configuration file, for example

%usm
NoAuthProtocol          := 1.3.6.1.6.3.10.1.1.1
HMACMD5AuthProtocol     := 1.3.6.1.6.3.10.1.1.2
HMACSHAAuthProtocol     := 1.3.6.1.6.3.10.1.1.3

NoPrivProtocol          := 1.3.6.1.6.3.10.1.2.1
DESPrivProtocol         := 1.3.6.1.6.3.10.1.2.2
AesCfb128Protocol       := 1.3.6.1.6.3.10.1.2.4

user1 := "test"
user4 := "testmd5"
user6 := "testaes"
user4passwd := 0xa4:0x27:0x99:0xe2:0x4b:0x32:0x12:0xec:0xe5:0xf4:0xac:0x83:0x1f:0x75:0xbb:0x59
user6passwd := 0x1b:0x07:0x9b:0x0b:0x75:0xb7:0xab:0xc7:0x77:0x6a:0x1a:0x24:0x02:0x0c:0x3a:0x87:0x4c:0x80:0x80:0x04

# SNMPv3 user with name "test", no authentication, no privacy
usmUserStatus.$(engine).$(user1) = 5
usmUserAuthProtocol.$(engine).$(user1) = $(NoAuthProtocol)
usmUserPrivProtocol.$(engine).$(user1) = $(NoPrivProtocol)
usmUserStatus.$(engine).$(user1) = 1

# SNMPv3 user with name "testmd5", MD5 message digests, no privacy
usmUserStatus.$(engine).$(user4) = 5
usmUserAuthKeyChange.$(engine).$(user4) = $(user4passwd)
usmUserPrivProtocol.$(engine).$(user4) = $(NoPrivProtocol)
usmUserStatus.$(engine).$(user4) = 1

# SNMPv3 user with name "testaes", SHA256 message digests, AES encryption
usmUserStatus.$(engine).$(user6) = 5
usmUserAuthProtocol.$(engine).$(user6) = $(HMACSHAAuthProtocol)
usmUserAuthKeyChange.$(engine).$(user6) = $(user6passwd)
usmUserPrivProtocol.$(engine).$(user6) = $(AesCfb128Protocol)
usmUserPrivKeyChange.$(engine).$(user6) = $(user6passwd)
usmUserStatus.$(engine).$(user6) = 1

The password of each user specified in the configuration file is the
localized password for the current snmpEngineId and may be calculated
via bsnmpget(1), for example

> setenv | grep SNMP
SNMPUSER=testaes
SNMPPASSWD=shteryana
SNMPAUTH=sha
SNMPPRIV=aes
> bsnmpget -v 3 -D -K -o verbose
Engine ID 0x80001f88809104c90f67e95b4c
Boots : 145             Time : 1
Localized keys for testaes
SHA : 0x1b079b0b75b7abc7776a1a24020c3a874c808004
AES : 0x1b079b0b75b7abc7776a1a24020c3a87
>

Supported authentication options are MD5 and SHA256 or none, and
supported encryption options are DES and AES. If encryption is used,
authenticaiton is also mandatory.

Unless the snmp_vacm(1) module is loaded, all users have access to the
values of all MIB objects available in bsnmpd(1). To allow only access
to ceratain parts of the MIB subtrees supported in bsnmpd(1) one
should use the snmp_vacm(3) module. The module is configured in the
%vacm section of the snmpd.config file. To properly configure
View-Based access, at least three enties are needed - one specifying a
group of users, a second specifying an access rule for the group of
users, and a third specifying the MIB subtrees that the group of users
is allowed read-only or write access. For example,

read := "public"
write := "private"

%vacm
#Definition of a SNMPv1 group in snmp_vacm(3)
vacmSecurityToGroupStatus.1.$(read) = 4
vacmGroupName.1.$(read) = $(read)

#Definition of a SNMPv2 group in snmp_vacm(3)
vacmSecurityToGroupStatus.2.$(write) = 4
vacmGroupName.2.$(write) = $(write)

#Definition of a SNMPv3 group, including users "test" and "testaes" in
snmp_vacm(3)
vacmSecurityToGroupStatus.3.$(user1) = 4
vacmGroupName.3.$(user1) = $(write)
vacmSecurityToGroupStatus.3.$(user6) = 4
vacmGroupName.3.$(user6) = $(write)

# List of views as per RFC 3415
internetoid := 1.3.6.1
internetoidlen := 4
vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4
vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4

noAuthNoPriv := 1
authNoPriv := 2
authPriv := 3

#Read-only access for the users from the SNMPv1 group
vacmAccessStatus.$(read)."".1.1 = 4
vacmAccessReadViewName.$(read)."".1.1 = "internet"

#Read-write access for the users from the SNMPv2 group
vacmAccessStatus.$(write)."".2.1 = 4
vacmAccessReadViewName.$(write)."".2.1 = "internet"
vacmAccessWriteViewName.$(write)."".2.1 = "internet"

#Read-write-notify access for SNMPv3 USM users with noAuthNoPriv
vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4
vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet"
vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet"
vacmAccessWriteViewName.$(write)."".3.$(noAuthNoPriv) = "internet"
vacmAccessNotifyViewName.$(write)."".3.$(noAuthNoPriv) = "internet"

#Read-write-notify access for SNMPv3 USM users with authNoPriv
vacmAccessStatus.$(write)."".3.$(authNoPriv) = 4
vacmAccessReadViewName.$(write)."".3.$(authNoPriv) = "internet"
vacmAccessWriteViewName.$(write)."".3.$(authNoPriv) = "internet"
vacmAccessNotifyViewName.$(write)."".3.$(authNoPriv) = "internet"

#Read-write-notify access to restricted for SNMPv3 USM users with authPriv
vacmAccessStatus.$(write)."".3.$(authPriv) = 4
vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted"
vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted"
vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted"

The snmp_vacm(3) module may be used separately from the snmp_usm(3)
module. In case the snmp_usm(3) is not loaded, the snmp_vacm(3) will
grant access to the MIB objects in bsnmpd(1) to SNMPv1/v2c users.
SNMPv1/v2c user names must match the configured read/wqrite
communities in the snmpd.config file. Both modules may be be also
configured via SNMP SET requests, but such configuration is not
persistent between reboots of bsnmpd(1).
bsnmptools(1) may be used to query OID values from bsmnpd(1), the
bsnmpget(1) man page specifies all the available command line options
that may be passed to the tools. In the simplest case, given that the
SNMPUSER, SNMPPASSWD, SNMPAUTH,  SNMPPRIV environment variables are
set, with SNMPv3 the bsnmptools(1) will perform authomatic engine ID
discovery, calculate the correspoding localized keys for the
discovered engine ID and query the agent with the appropriate options
in the SNMP PDUs, for example

> bsnmpwalk -v 3 mib2
Engine ID 0x80001f88809104c90f67e95b4c
Boots : 148             Time : 337
Localized keys for testaes
SHA : 0x1b079b0b75b7abc7776a1a24020c3a874c808004
AES : 0x1b079b0b75b7abc7776a1a24020c3a87
sysDescr.0 = prometheus 1108790616 FreeBSD 9.0-CURRENT
sysObjectId.0 = begemotSnmpdAgentFreeBSD
sysUpTime.0 = 36605
sysContact.0 = syrinx_at_FreeBSD.org
sysName.0 = prometheus
sysLocation.0 = Somewhere in Europe
sysServices.0 = 76
sysORLastChange.0 = 1
sysORID[1] = begemotSnmpdTransUdp

....

Enjoy!

cheers,
Shteryana
Received on Thu Oct 28 2010 - 16:42:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:08 UTC