From my reading of
FAQs and old messages, it seems that what I want to do is possible. However, I
have not figured it out yet.
From the
FAQ:
How do I configure access control?
---------------------------------
The simplest way is to use the configure directives:
rocommunity public (for SNMPv1/2c)
rwcommunity private
or
rouser user1 (for SNMPv3)
rwuser user2
These specify the community names or security names to accept for
read-only and read-write access to the whole of the supported MIB tree.
(Obviously you should change these names to match your requirements -
which is a particularly good idea in the case of 'rwcommunity'!)
[...]
All four of these settings can can also be restricted to particular
subtrees, and/or request sources. See 'snmpd.conf(5)' for details.
These directives are effectively wrappers round the core access control
mechanism, which uses the four directives 'com2sec', 'group', 'view'
and 'access' to provide a more efficient and flexible control
over who can access which portions of the tree.
And from the
snmpd.conf(5) man page:
## Net-SNMP default configuration
com2sec public default public
group public v1 public
group public v2c public
group public usm public
view all included .1
access public "" any noauth exact all none none
Based on this
information and the descriptions of com2sec, group, view, and access in the man
page and other resources I found, I figured I could put something
like:
view special excluded .1.3.6.1.4.1.253.8.53.5
access public "" any noauth exact special special special
into snmpd.conf. If
I then WALK 1.3.6.1.6.3 I can see entries for public and special, but there is
no effect on accessing the MIB object.
Am I trying to do
something that is not really possible? Or am I just missing
something?
(The rest of this
may be more appropriate on the coders list, but I figured I would keep it all
together.)
Alternatively, I could do additional code work. Our extensions utilize
the old API and only get the information as defined in the FindVarMethod
function typedef. After a cursory investigation, it looks like the new API would
provide me with a netsnmp_pdu object which contains the snmp_version field from
which I will know if the request was made using v1, v2c, or v3 protocol. I could
then return an error for the v1 and v2c calls and process the v3 calls. Is this
correct?
The only
question then left is verifying that the v3 request was actually made with both
authentication and encryption. I assume this can be done with users and views as
well, but is there something in the structure that I did not see that would
indicate this information?
Thanks, so very
much!
Tim D.
Hammer
Software Developer
Xerox Corporation
250 CrossKeys Office Park, M/S
0820-03F
Fairport, NY 14450
Phone: 585/425-6781 Internal: 8*225-6781
Phone: 585/425-6781 Internal: 8*225-6781
Fax: 585/425-6351
XEROX
Technology. Document Management.
Consulting Services
This e-mail
message, including any attachments, is for the sole use of the intended
recipient(s) and may contain confidential information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient(s) please contact the sender by reply e-mail and destroy all
copies of the original message. Thank
you.
