OK - sounds good. So if vacm is enabled - it should reject unauthenticated read and writes? That's sounds reasonable
Adam -----Original Message----- From: dave.shi...@googlemail.com [mailto:dave.shi...@googlemail.com] On Behalf Of Dave Shield Sent: Tuesday, February 16, 2010 9:01 AM To: Bell, Adam Cc: Szudy Brett-CBS035; net-snmp-coders@lists.sourceforge.net Subject: Re: question on net-snmp privacy On 16 February 2010 13:41, Bell, Adam <adam.b...@safenet-inc.com> wrote: > That is a huge security hole. In fact knowing this, we will have to > add some kind of extension to explicitely disallow Any packet that is not > authenticated. Why? If you configure the agent using "rouser" then this will reject any unauthenticated request. (Since the default is to accept only authNoPriv or authPriv requests) > Vacm does not solve this either because anyone could spoof the user > name in the un-authenticated packet. The user name could be spoofed - yes. But that wouldn't benefit the attacker, since the unauthenticated request would then be rejected by the VACM processing. Remember, VACM allows you to insist that all requests are authenticated before they are processed. Try it for yourself if you don't believe me. Configure the agent using "rouser", and then send a request using -l noauth. This will fail. Dave The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
