Thanks Colin,
I'm trying to avoid the clear-text passwords on the trapsess line.
For traps, I have:
createUser trapUser SHA authPass AES privPass
in /var/lib/snmp/snmpd.conf, and
trapsess -v3 -u trapUser -l authPriv 192.168.1.215
in /etc/snmp/snmpd.conf.
And it works. The traps are properly authenticated and encrypted (I'm
testing with wiershark).
However, I still can't get the informs to work without clear text
passwords on the trapsess.
I still need help.
On 17-Jul-2020 2:49 PM, Colin Anderson wrote:
>
> This is what I use. But this is for traps not informs, so yours will
> be a different.
>
>
>
> rouser scott
>
> createUser scott MD5 "becky000" DES "molly000"
>
> trapsess -v 3 -n "" -u scott -a MD5 -A "becky000" -x DES -X "molly000"
> -l authPriv 192.168.55.50
>
>
>
> Colin
>
>
>
> *From:*John Bize <[email protected]>
> *Sent:* 17 July 2020 18:44
> *To:* Atkins, Brian <[email protected]>; Colin Anderson
> <[email protected]>; [email protected]
> *Subject:* Re: SNMPv3 authPriv informs (trapsess)
>
>
>
> Ok, I did it wrong. I'm looking for valid examples.
>
> For authPriv informs, what do the createUser and trapsess look like?
>
> For authPriv traps, what do the createUser and trapsess look like?
>
>
>
> On 17-Jul-2020 1:40 PM, Atkins, Brian wrote:
>
> Also, if you use traps, the authoritativeEngineID will be the one
> on the agent. That is the default, so there will be no need to
> specify a -e argument on the createUser call.
>
>
>
> *From:* Atkins, Brian
> *Sent:* Friday, July 17, 2020 1:38 PM
> *To:* John Bize <[email protected]> <mailto:[email protected]>;
> Colin Anderson <[email protected]>
> <mailto:[email protected]>;
> [email protected]
> <mailto:[email protected]>
> *Subject:* RE: SNMPv3 authPriv informs (trapsess)
>
>
>
> The authoritativeEngineID is specified on the createUser, not
> trapsess. See http://www.net-snmp.org/docs/man/snmpd.conf.html
>
>
>
> *From:* John Bize <[email protected] <mailto:[email protected]>>
> *Sent:* Friday, July 17, 2020 1:37 PM
> *To:* Atkins, Brian <[email protected]
> <mailto:[email protected]>>; Colin Anderson
> <[email protected]
> <mailto:[email protected]>>;
> [email protected]
> <mailto:[email protected]>
> *Subject:* Re: SNMPv3 authPriv informs (trapsess)
>
>
>
> *NetApp Security WARNING*: This is an external email. Do not click
> links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Ok,
>
> So it appears that I should add:
>
> trapsess -e 0x80001F888001331F10B729FA5E00000000 -Ci -v3 -u
> remoteUser -l authPriv 192.168.1.215
>
> to /etc/snmp/snmpd.conf for v3 informs (without the -Ci for v3
> traps), and:
>
> createUser -e 0x80001F888001331F10B729FA5E00000000 remoteUser
> SHA "authPass" AES privPass
>
> in /var/lib/snmp/snmpd.conf where
> "0x80001F888001331F10B729FA5E00000000" is the engine-id of the
> receiver.
>
> Does that look right? Will that work correctly?
>
>
>
> On 17-Jul-2020 1:06 PM, Atkins, Brian wrote:
>
> Looking at Colin’s reply, I realize you may need to add the
> createUser statements to the /var/lib/snmp/snmpd.conf file
> directly, instead of /etc/snmp/snmpd.conf (these are Debian 10
> paths). It will replace them with usmUser statements, so you
> shouldn’t need to delete anything.
>
>
>
> *From:* John Bize <[email protected]>
> <mailto:[email protected]>
> *Sent:* Friday, July 17, 2020 1:02 PM
> *To:* Colin Anderson <[email protected]>
> <mailto:[email protected]>; Atkins, Brian
> <[email protected]> <mailto:[email protected]>;
> [email protected]
> <mailto:[email protected]>
> *Subject:* Re: SNMPv3 authPriv informs (trapsess)
>
>
>
> *NetApp Security WARNING*: This is an external email. Do not
> click links or open attachments unless you recognize the
> sender and know the content is safe.
>
>
>
>
> Thanks Colin and Brian.
>
> I will give creating a new snmpd (agent) user with the remote
> (manager's) engine-id a try.
>
> I was using net-snmp-create-v3-user from the libsnmp-dev
> package to add users. Unfortunately, it does not support
> engine-id, so I'll have to forgo that tool for this.
>
> Does anyone have an example of what the final trapsess looks like?
>
>
>
> On 17-Jul-2020 12:47 PM, Colin Anderson wrote:
>
> We came across this problem.
>
>
>
> There are 2 snmpd.conf files. “Your” one, in
> /usr/share/snmp/ and an autogenerated one in
> /var/net-snmp/. This autogenerated one stores the keys
> once they are generated. You can add the passwords to
> the auto-generated snmpd.conf file. (You can ignore the
> “Do not edit” warnings.) This file will automatically
> delete the password entries once the keys have been
> generated. This is mentioned in the wiki pages somewhere.
>
>
>
> There are other issues with this file which you may come
> across. We found that it seems to be written to with the
> old/existing config as snmpd is closing. So your changes
> could be overwritten. The file takes some playing with.
>
>
>
> Or depending how you’ve done it you can delete “your”
> snmpd.conf file once snmpd has started. We create our
> snmpd.conf just before we try to open snmpd and so the
> passwords are only added then. We then delete the file
> once snmpd is running.
>
>
>
> Hope this helps.
>
>
>
> Colin
>
>
>
> *From:* John Bize <[email protected]>
> <mailto:[email protected]>
> *Sent:* 17 July 2020 15:32
> *To:* [email protected]
> <mailto:[email protected]>
> *Subject:* Re: SNMPv3 authPriv informs (trapsess)
>
>
>
> Bump please.
>
> On 04-Jul-2020 10:11 AM, John Bize wrote:
>
> I have an embedded system running Debian 10 with snmpd
> v5.7.3.
>
> I'd like to configure SNMPv3 trapsess to send
> auth,priv informs. How is this done *without putting
> clear-text passwords *into the snmpd.conf file?
>
> Thanks.
>
> Image removed by sender. Twitter
> <https://twitter.com/speakerbus>Image removed by sender.
> LinkedIn <http://www.linkedin.com/company/speakerbus>Image
> removed by sender. YouTube
> <http://www.youtube.com/user/SpeakerbusTech?feature=watch>
>
>
> ******************************************************************************
>
> The contents of this e-mail and any attachments are
> confidential and are intended solely for the attention and
> use of the intended recipient. This message should not be
> copied or forwarded to any other person without the
> express permission of the sender. If you are not the
> intended recipient, you are hereby notified that to
> disclose, copy, distribute or retain this message or any
> part of it, is strictly unauthorised and forbidden. If you
> have received this message in error, please notify the
> sender by telephone or by reply e-mail, and destroy the
> original message. Any views or opinions presented are
> solely those of the author and do not necessarily
> represent those of Speakerbus unless otherwise
> specifically stated. We reserve the right to monitor all
> e-mail messages passing through our network.
>
> Speakerbus Group plc - Head Office, Hanover House,
> Britannia Road, Queens Gate, Waltham Cross, Hertfordshire,
> EN8 7TF, England.Tel: +44(0)1992 807300 Fax: +44 (0)1992
> 807301 Company Registration No 3330946 Home Page:
> http://www.speakerbus.com
>
> ******************************************************************************
>
>
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
