On Mon, Feb 04, 2002 at 11:37:23AM -0800, Logg, Connie A. wrote: > > > One of my concerns has always been the apparent need to have the snmp > community read string in the configuration file.
This is common for many network management systems, commercial and otherwise. They presume that the localhost is at least as secure as your network. (Not that this is always the case...) However, it's not really all that helpful to protect the SNMP read community value in the file-system. This is because SNMP v1/v2 will just put the community on the wire as plain text anyway. So, anyone with root privilege on the one of the hosts involved in the SNMP transaction can simply run tcpdump or ethereal to snoop the traffic and determine the read community. If you make it so that the script is only readable by root (or some other user that you can only become by becoming root first), you essentially avoid having uprivileged users reading the file to determine your community string. (Disallowing read-permission for "other" may be sufficient, if you set the script and conf file to have the right group.) > Is there a way around this? Many of us just use "public" as our read-community, but then use our router's SNMP security features to limit which hosts can perform SNMP operations. This is so-called "host-based" security, and is about all the SNMP v1/v2 offers. (Alos, most of us never enable nor use SNMP write capabilities...) Dave -- [EMAIL PROTECTED] http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI -- Unsubscribe mailto:[EMAIL PROTECTED] Help mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/rrd-users WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
