On 11/09/2017 09:39 AM, Andrejs Bogdanovs wrote:
Greetings, net-snmp folks!
Hi there!
Sorry, if this has been discussed before or is mentioned in the docs -
haven't found info about this issue (only about the minimal length of
the passwords).
I installed net-snmp 5.7.3 on Ubuntu Linux 16.04.3 LTS (x86_64).
I created SNMPv3 user using net-snmp-config:
net-snmp-config --create-snmpv3-user -a "aaaaaaaaa" myuser3
I tried to access sysDescr OID:
Valid password:
snmpwalk -v 3 -u myuser3 -l authNoPriv -a MD5 -A "aaaaaaaaa" -mALL -M
/home/user/net-snmp/mibs localhost sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Linux ubuntu-pc 4.4.0-72-generic
#93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64
Invalid ones:
snmpwalk -v 3 -u myuser3 -l authNoPriv -a MD5 -A "aaaaaaaa" -mALL -M
/home/user/net-snmp/mibs localhost sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Linux ubuntu-pc 4.4.0-72-generic
#93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64
snmpwalk -v 3 -u myuser3 -l authNoPriv -a MD5 -A "aaaaaaadddaa" -mALL
-M /home/user/net-snmp/mibs localhost sysDescr
snmpwalk: Authentication failure (incorrect password, community or
key) (Sub-id not found: (top) -> sysDescr)
snmpwalk -v 3 -u myuser3 -l authNoPriv -a MD5 -A "aaaaaaaaaaaa" -mALL
-M /home/user/net-snmp/mibs localhost sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Linux ubuntu-pc 4.4.0-72-generic
#93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64
Why have requests succeeded in case of "aaaaaaaa" and "aaaaaaaaaaaa"?
Because the generated MD5 Key is the same in this case.
A look into the sample implementation of the key generation algorithm in
Appendix A.2.1 of RFC3414 reveals why.
https://tools.ietf.org/html/rfc3414#appendix-A.2.1
The key generation loops through 1 MB of data of the password chars
wrapping at the beginning when it reaches the end.
If we use "aaaaaaaa" and "aaaaaaaaaaaa" the data being looped through is
the same.
After that I created another user "myuser2" with password "aaaaaaaa"
and checked /var/lib/snmp/snmpd.conf
usmUser 1 3 0x80001f88801017fc5c779da55800000000 "myuser2" "myuser2"
NULL .1.3.6.1.6.3.10.1.1.2 0x706e8678f90dd89addf77ed13b2e7093
.1.3.6.1.6.3.10.1.2.2 0x706e8678f90dd89addf77ed13b2e7093 0x
usmUser 1 3 0x80001f88801017fc5c779da55800000000 "myuser3" "myuser3"
NULL .1.3.6.1.6.3.10.1.1.2 0x706e8678f90dd89addf77ed13b2e7093
.1.3.6.1.6.3.10.1.2.2 0x706e8678f90dd89addf77ed13b2e7093 0x
Seems, that their hashes are same. Is it as intended?
Yes I think it is intended.
See RFC3414 - User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)
Thank you for your help!
Best wishes,
Andrejs
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Kind regards,
Bernd Eilers
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users