I have been trying to get my snmp v3 users set up and to a certain
degree I'm having luck, but unfortunately only with DES privacy. I have
been following the SNMP documentation and not sure if i'm doing
something wrong or if the openbsd version of snmp doesn't do aes. Here
is my command for creating a user:
net-snmp-config --create-snmpv3-user -ro -A mypassword -X
myotherpassword -x DES -a SHA newnewuser
which comes back with no errors and the resultant message:
adding the following line to /var/net-snmp/snmpd.conf:
createUser newnewuser mypassword "SHA" myotherpassword DES
adding the following line to /usr/local/share/snmp/snmpd.conf:
rouser newnewuser
I verified that the two files were altered per the results:
# cat /var/net-snmp/snmpd.conf
createUser newnewuser mypassword "SHA" myotherpassword DES
#cat /usr/local/share/snmp/snmpd.conf
rouser newnewuser
I start snmpd, everything seems ok, but when i try to get any
information as below, i always get the same error:
snmpwalk -v 3 -l authPriv -u newnewuser -A mypassword -X
myotherpassword -a SHA -x AES localhost IF-MIB::ifDescr.3
Invalid privacy protocol specified after -x flag: AES
if i leave out the -x flag:
snmpwalk -v 3 -l authPriv -u newnewuser -A mypassword -X
myotherpassword -a SHA localhost IF-MIB::ifDescr.3
snmpwalk: Unknown user name
I then checked my /var/net-snmp/snmpd.conf: and
/usr/local/share/snmp/snmpd.conf: files and was surprised to find that
in the /var/net-snmp/snmpd.conf file, any evidence that the above create
user line had succeeded.:
# snmpd
# cat /var/net-snmp/snmpd.conf
#
# net-snmp (or ucd-snmp) persistent data file.
#
############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
#
# **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
############################################################################
#
# DO NOT STORE CONFIGURATION ENTRIES HERE.
# Please save normal configuration tokens for snmpd in
SNMPCONFPATH/snmpd.conf.
# Only "createUser" tokens should be placed here by snmpd administrators.
# (Did I mention: do not edit this file?)
#
engineBoots 1
oldEngineID 0x800007e5805070ab640f62cf46
but the user was successfully created in the
/usr/local/share/snmp/snmpd.conf:
# cat /usr/local/share/snmp/snmpd.conf
rouser newnewuser
net-snmp-config --create-snmpv3-user -ro -a "newpassword" -x
"newotherpassword" -A SHA newuser
works just fine and I can use it after starting snmpd.
I noticed that on the help page for net-snmp-config that is doesn't list
AES (yes i know that should be a huge clue), but I thought it might just
be an oversight:
SNMP Setup commands:
--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES]
[-A MD5|SHA] [username]
It seems that i'm sure openbsd's implementation doesn't support AES, so
i guess my actual question is why and will it ever? Another question
along the same line, why doesn't it error out when creating the user if
AES isn't supported? I thought (not an enc. specialist so please don't
flame me too harshly) AES was far better than DES so openbsd would have
it for sure.
one last question about this.... during all of this time, successful and
failed creation of users and snmpwalking, my /var/log/snmpd file stayed
empty even when starting is via "snmpd -Lsd -A". Is that common?
Thanks in advance,
Aaron
