Fwd: SNMPv3 DES issue
I dont know snmpb, and it is seems non-trivial to install.
Have you tried with the Net-SNMP tools?
Besides the createUser to create the uer, you need an access and view
entry to define how it is used. How did you configure that?
/Niels
Den 26-01-2024 kl. 11:10 skrev Vincent Gilson via Net-snmp-coders:
Hello !
I’m working on a net-snmp agent integrated into an industrial embedded
system (ARM-based).
The agent is working perfectly for v1 and v2c, and also with v3 and
‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
But SHA and DES/AES is not working :
_My snmpd.conf :_
# Listening connections :
agentAddress udp:161
#
# User list :
createUser myuser MD5 authpass
rouser myuser
createUser vincent SHA authpass DES privauthpass
rwuser vincent priv
GET an integer with SNMPv3 is working for user “myuser” (configured
with ‘authNoPriv’ and empty context info in SnmpB) , but that is not
working for user “vincent" (configured with ‘authPriv’ in SnmpB) :
embedded agent returns me the security level is not supported (oid
1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem
occurs with AES.
Why is it not supported ?
I tried different combinations with ‘createUser’ adding ‘priv’ on it,
or add it at the end of ‘rwuser’
I didn’t see something relevant into the snmpd.log, so I guess the
openssl is correctly loaded.
I don’t know what I’m missing. Could you help me please ?
Many thanks !
Vincent.
->>>
_Some useful resources :_
_My install switches :_
./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
--disable-applications --enable-debugging --disable-embedded-perl
--without-perl-modules \
--enable-reentrant \
--with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR)
--with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
--with-openssl=$(LIB_DIRS) \
--without-rpm \
--with-logfile="/tmp/var/snmpd.log" \
--with-default-snmp-version="3" \
--with-transports="UDP,TCP,DTLSUDP,TLSTCP"
--with-security-modules="usm,tsm" \
--with-sys-contact="vincent.gil...@ovarro.com" \
--with-sys-location="Ovarro" \
--with-persistent-directory="/var/net-snmp" \
--enable-shared=yes --enable-static=no --enable-tagCC-libtool
_Wireshark capture (request of SnmpB, followed by answer from embedded
net-snmp agent) :_
No. Time Source Destination Protocol Length Info
4488 49.862297 10.65.84.14 172.25.110.169 SNMP
183 encryptedPDU: privKey Unknown
Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464
bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED},
id 0
Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst:
CIMSYS_33:44:55 (00:11:22:33:44:55)
Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
User Datagram Protocol, Src Port: 49987, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1572876
msgMaxSize: 4096
msgFlags: 07
.1.. = Reportable: Set
..1. = Encrypted: Set
...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
1... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 1cfa4220
Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
msgAuthoritativeEngineBoots: 17
msgAuthoritativeEngineTime: 67315
msgUserName: vincent
msgAuthenticationParameters: 90d824057790ccf09d9cdf94
msgPrivacyParameters: 0011904f
msgData: encryptedPDU (1)
encryptedPDU:
6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
No. Time Source Destination Protocol Length Info
4496 49.945101 172.25.110.169 10.65.84.14 SNMP
154 report 1.3.6.1.6.3.15.1.1.1.0
Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232
bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED},
id 0
Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst:
Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
User Datagram Protocol, Src Port: 161, Dst Port: 49987
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1572876
msgMaxSize: 65507
msgFlags: 00
.0.. = Reportable: Not set
..0. = Encrypted: Not set
...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
1... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 1cfa4220
Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
msgAuthoritativeEngineBoots: 17
msgAuthoritativeEngineTime: 67315
msgUserName: vincent
msgAuthenticationParameters:
msgPrivacyParameters:
msgData: plaintext
Re: SNMPv3 DES issue
Hello Vincent,
Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not
too familiar with the net-snmp's quirks.
That out of the way I think I have a decent idea where the problem
comes from and would be more clear if you load the
SNMP-USER-BASED-SM-MIB for more human readable output.
If you look at the following line from the highlights you'll find:
> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2,
> User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
Where SNMPv2-SMI::snmpModules.10.1.2.1 is
SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user
is created without a privacy option.
Looking a bit up we find:
> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1
> 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL
> .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38
> .1.3.6.1.6.3.10.1.2.1 0x 0x
Where the last OID is the same usmNoPrivProtocol.
So here's my speculation: I've always been told that using createUser
inside the conf file works, but can cause problems. I think you've hit
one of those problems and that you've created the user Vincent before
without a privacy option and it doesn't update its internal definition.
My solution (again, not sure if this is the best way) is to either
manually remove the appropriate usmUser line from
/var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to
remove it over the wire via snmpusm(1) (not sure if this works with
your daemon) and restart your daemon.
Hope this helps.
Martijn
On Mon, 2024-01-29 at 13:08 +, Vincent Gilson wrote:
>
>
>
> Hi Martijn,
>
> Thanks for your feedback!
>
> I’m not using the snmpd command line daemon as I handle it in my own Linux
> application, so I couldn’t start it with -Dusm. But I’m guessing calling
> debug_enable_token_logs("usm"); in my application could do the trick… Anyway,
> I activated the (debug) logs, and the user ‘vincent’ seems to be created
> correctly, but I’m not sure.
>
> The request frame tells ‘unsupported security level’, which confirms it, but
> I still don’t know why.
>
> Any ideas ?
>
> ((( I put what seems important to me at first (see “highlights” below), but I
> may have missed something so I added more details (see “In details “) under
> it. )))
>
> Regards,
> Vincent.
>
> =
> Highlights :
>
>
> -
> Reading config file :
> -
>
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
> vincent SHA myauthpw DES myPrivAuthPhrase
> …
> read_config:parser: Found a parser. Calling it: createUser / vincent SHA
> myauthpw DES myPrivAuthPhrase
> …
> 9:usmUser: truncating privKeyLen from 20 to 16
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
> usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
> …
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s
> usm vincent priv
> trace: run_config_handler(): read_config.c, 543:
> read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
> rwuser: setting auth level: "priv"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
> rwuser: passing: group grpvincent usm "vincent"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
> rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
> …
> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3
> 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2
> 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> trace: run_config_handler(): read_config.c, 563:
> 9:read_config:parser: usmUser handler not registered for this time
> …
>
> -
> Request handling :
> -
> usm: match on user vincent
> trace: usm_check_secLevel(): snmpusm.c, 2738:
> comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_check_secLevel(): snmpusm.c, 2747:
> usm: Level: 3
> trace: usm_check_secLevel(): snmpusm.c, 2748:
> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User
> Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_process_in_msg(): snmpusm.c, 2980:
> usm: Unsupported Security Level (3).
> trace: snmpv3_parse(): snmp_api.c, 3994:
> dumph_recv: ScopedPDU
> trace: _snmp_parse(): snmp_api.c, 4401:
> snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM
> unsupported security level (this user has not been configured for that level
> of security)
>
>
>
> =
> =
> =
> In details :
>
>
> trace: read_config(): read_config.c, 853:
>
RE: SNMPv3 DES issue
Hi Martijn,
Thanks for your feedback!
I’m not using the snmpd command line daemon as I handle it in my own Linux
application, so I couldn’t start it with -Dusm. But I’m guessing calling
debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I
activated the (debug) logs, and the user ‘vincent’ seems to be created
correctly, but I’m not sure.
The request frame tells ‘unsupported security level’, which confirms it, but I
still don’t know why.
Any ideas ?
((( I put what seems important to me at first (see “highlights” below), but I
may have missed something so I added more details (see “In details “) under it.
)))
Regards,
Vincent.
=
Highlights :
-
Reading config file :
-
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
…
read_config:parser: Found a parser. Calling it: createUser / vincent SHA
myauthpw DES myPrivAuthPhrase
…
9:usmUser: truncating privKeyLen from 20 to 16
trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
…
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm
vincent priv
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
rwuser: setting auth level: "priv"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
rwuser: passing: group grpvincent usm "vincent"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
…
read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3
0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2
0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: run_config_handler(): read_config.c, 563:
9:read_config:parser: usmUser handler not registered for this time
…
-
Request handling :
-
usm: match on user vincent
trace: usm_check_secLevel(): snmpusm.c, 2738:
comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_check_secLevel(): snmpusm.c, 2747:
usm: Level: 3
trace: usm_check_secLevel(): snmpusm.c, 2748:
usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv
Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_process_in_msg(): snmpusm.c, 2980:
usm: Unsupported Security Level (3).
trace: snmpv3_parse(): snmp_api.c, 3994:
dumph_recv: ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4401:
snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM
unsupported security level (this user has not been configured for that level of
security)
=
=
=
In details :
trace: read_config(): read_config.c, 853:
9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
trace: read_config(): read_config.c, 981:
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser. Calling it: createUser / vincent SHA
myauthpw DES myPrivAuthPhrase
trace: sc_get_auth_oid(): scapi.c, 417:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_hash(): scapi.c, 889:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_hash_type(): scapi.c, 942:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:
9:usmUser: privProtocol DES
trace: sc_get_priv_alg_bytype(): scapi.c, 248:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:
9:usmUser: pai usmDESPrivProtocol
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 26
