From owner-freebsd-net@FreeBSD.ORG Thu Oct 28 18:42:20 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DABFE106566C; Thu, 28 Oct 2010 18:42:20 +0000 (UTC) (envelope-from shteryana@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 743208FC1D; Thu, 28 Oct 2010 18:42:20 +0000 (UTC) Received: by qyk7 with SMTP id 7so5135300qyk.13 for ; Thu, 28 Oct 2010 11:42:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:reply-to:received :date:x-google-sender-auth:message-id:subject:from:to:content-type; bh=MV6/XeqWdPZSfhg4PV7R0HH8El4bziZsNKzDFT2OBQI=; b=TjvrDOSQFaPOjD/E6rQbimThJYvIKxSp5V6j+rK7vWNnnJb52b/MIWBz813QLwRMDD 1fjwjN0a3qJyywz1zaVXWKAE9+s8RFtrkwT5IQI6vxNwyRYG802+fxqy68W+pJQ4f6LH 8xtvW4dawONUF0do3CyOzM8NSlcQTWDIBC8Bw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:reply-to:date:x-google-sender-auth:message-id :subject:from:to:content-type; b=TzOxRSkFauZiA5a++owypGUEyO1Wd6f0H0S4aB5r78Pn+V9oPyhl5FydWaSBnV28bN O+1RBt+A7XMoR/HPQAYY5R63Nnqv+v8LPhbDMYorwF+7hU5/7Isxv+E8eYUwGUYpbroM YpZLEbyhXrC+Ps3Z1Wrjs9k1iCrCLMZ0l2Ez4= MIME-Version: 1.0 Received: by 10.229.88.15 with SMTP id y15mr396767qcl.39.1288289977558; Thu, 28 Oct 2010 11:19:37 -0700 (PDT) Sender: shteryana@gmail.com Received: by 10.229.230.202 with HTTP; Thu, 28 Oct 2010 11:19:37 -0700 (PDT) Date: Thu, 28 Oct 2010 21:19:37 +0300 X-Google-Sender-Auth: eWmyYPo6-CBRJAz4sa-Cv9LBfCc Message-ID: From: Shteryana Shopova To: "freebsd-net@FreeBSD.org" , freebsd-current@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: Subject: Call for testers: SNMPv3 support for bsnmpd(1) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: syrinx@FreeBSD.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2010 18:42:20 -0000 Dear all, I am happy to announce that work on SNMPv3 support for bsnmpd(1) is now completed and ready for testing. I want to thank the FreeBSD Foundation for funding this work. A quick how-to get started with the changes bsnmpd(1) follows. The patch against FreeBSD current sources is available under http://people.freebsd.org/~syrinx/snmp/svn-snmpd-20101028-02.diff. To compile && install the sources #cd #fetch http://people.freebsd.org/~syrinx/snmp/svn-snmpd-20101028-02.diff #mkdir contrib/bsnmp/snmp_vacm && mkdir contrib/bsnmp/snmp_usm && mkdir usr.sbin/bsnmpd/tools && mkdir usr.sbin/bsnmpd/tools/bsnmptools && mkdir usr.sbin/bsnmpd/tools/libbsnmptools && mkdir usr.sbin/bsnmpd/modules/snmp_vacm && mkdir usr.sbin/bsnmpd/modules/snmp_usm #patch < svn-snmpd-20101028-02.diff # The patch contains all changes made to support SNMPv3 in bsnmpd(1) and also bsnmpdtools(1) that were initially developed during Google's Summer of Code 2005 and later together with bsnmpd(1) enhanced to support SNMPv3 encryption and authentication. After the implemented changes bsnmpd(1) should be compatible with old configuration files and unless explicitly specified in its configuration file, it should also retain its current behavior. By default, all SNMP versions are enabled, however as there are no SNMPv3 USM users defined, SNMPv3 packets are silently dropped. To be able to configure SNMPv3 users View-based access rules one needs to load two additional modules in bsnmpd(1) that are not loaded by default - snmp_usm(1) and snmp_vacm(1). This is done by adding the following lines in bsnmpd.config # SNMPv3 User-based security module - must be loaded for SNMPv3 USM begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so" # SNMPv3 View-based Access Control module begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so" The objects from SNMP-FRAMEWORK-MIB (snmpEngineID, snmpEngineBoots, snmpEngineTime and snmpEngineMaxMessageSize) are mandatory for an SNMP agent compliant with the SNMPv3 Framework and are supported by bsnmpd(1). A administrative value for the snmpEngineID may be specified via the daemon's configuration file , for example # The SNMP engine ID engine := 0x80:0x00:0x1f:0x88:0x80:0x91:0x04:0xc9:0x0f:0x67:0xe9:0x5b:0x4c snmpEngineID = $(engine) If not present, a default value is assigned to the object based on host id, where bsnmpd(1) is running. SNMPv1 and SNMPv2 communities definitions in the config file have not changes. Definition of SNMPv3 users is done in the usm section of the configuration file, for example %usm NoAuthProtocol := 1.3.6.1.6.3.10.1.1.1 HMACMD5AuthProtocol := 1.3.6.1.6.3.10.1.1.2 HMACSHAAuthProtocol := 1.3.6.1.6.3.10.1.1.3 NoPrivProtocol := 1.3.6.1.6.3.10.1.2.1 DESPrivProtocol := 1.3.6.1.6.3.10.1.2.2 AesCfb128Protocol := 1.3.6.1.6.3.10.1.2.4 user1 := "test" user4 := "testmd5" user6 := "testaes" user4passwd := 0xa4:0x27:0x99:0xe2:0x4b:0x32:0x12:0xec:0xe5:0xf4:0xac:0x83:0x1f:0x75:0xbb:0x59 user6passwd := 0x1b:0x07:0x9b:0x0b:0x75:0xb7:0xab:0xc7:0x77:0x6a:0x1a:0x24:0x02:0x0c:0x3a:0x87:0x4c:0x80:0x80:0x04 # SNMPv3 user with name "test", no authentication, no privacy usmUserStatus.$(engine).$(user1) = 5 usmUserAuthProtocol.$(engine).$(user1) = $(NoAuthProtocol) usmUserPrivProtocol.$(engine).$(user1) = $(NoPrivProtocol) usmUserStatus.$(engine).$(user1) = 1 # SNMPv3 user with name "testmd5", MD5 message digests, no privacy usmUserStatus.$(engine).$(user4) = 5 usmUserAuthKeyChange.$(engine).$(user4) = $(user4passwd) usmUserPrivProtocol.$(engine).$(user4) = $(NoPrivProtocol) usmUserStatus.$(engine).$(user4) = 1 # SNMPv3 user with name "testaes", SHA256 message digests, AES encryption usmUserStatus.$(engine).$(user6) = 5 usmUserAuthProtocol.$(engine).$(user6) = $(HMACSHAAuthProtocol) usmUserAuthKeyChange.$(engine).$(user6) = $(user6passwd) usmUserPrivProtocol.$(engine).$(user6) = $(AesCfb128Protocol) usmUserPrivKeyChange.$(engine).$(user6) = $(user6passwd) usmUserStatus.$(engine).$(user6) = 1 The password of each user specified in the configuration file is the localized password for the current snmpEngineId and may be calculated via bsnmpget(1), for example > setenv | grep SNMP SNMPUSER=testaes SNMPPASSWD=shteryana SNMPAUTH=sha SNMPPRIV=aes > bsnmpget -v 3 -D -K -o verbose Engine ID 0x80001f88809104c90f67e95b4c Boots : 145 Time : 1 Localized keys for testaes SHA : 0x1b079b0b75b7abc7776a1a24020c3a874c808004 AES : 0x1b079b0b75b7abc7776a1a24020c3a87 > Supported authentication options are MD5 and SHA256 or none, and supported encryption options are DES and AES. If encryption is used, authenticaiton is also mandatory. Unless the snmp_vacm(1) module is loaded, all users have access to the values of all MIB objects available in bsnmpd(1). To allow only access to ceratain parts of the MIB subtrees supported in bsnmpd(1) one should use the snmp_vacm(3) module. The module is configured in the %vacm section of the snmpd.config file. To properly configure View-Based access, at least three enties are needed - one specifying a group of users, a second specifying an access rule for the group of users, and a third specifying the MIB subtrees that the group of users is allowed read-only or write access. For example, read := "public" write := "private" %vacm #Definition of a SNMPv1 group in snmp_vacm(3) vacmSecurityToGroupStatus.1.$(read) = 4 vacmGroupName.1.$(read) = $(read) #Definition of a SNMPv2 group in snmp_vacm(3) vacmSecurityToGroupStatus.2.$(write) = 4 vacmGroupName.2.$(write) = $(write) #Definition of a SNMPv3 group, including users "test" and "testaes" in snmp_vacm(3) vacmSecurityToGroupStatus.3.$(user1) = 4 vacmGroupName.3.$(user1) = $(write) vacmSecurityToGroupStatus.3.$(user6) = 4 vacmGroupName.3.$(user6) = $(write) # List of views as per RFC 3415 internetoid := 1.3.6.1 internetoidlen := 4 vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4 vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4 noAuthNoPriv := 1 authNoPriv := 2 authPriv := 3 #Read-only access for the users from the SNMPv1 group vacmAccessStatus.$(read)."".1.1 = 4 vacmAccessReadViewName.$(read)."".1.1 = "internet" #Read-write access for the users from the SNMPv2 group vacmAccessStatus.$(write)."".2.1 = 4 vacmAccessReadViewName.$(write)."".2.1 = "internet" vacmAccessWriteViewName.$(write)."".2.1 = "internet" #Read-write-notify access for SNMPv3 USM users with noAuthNoPriv vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4 vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet" vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet" vacmAccessWriteViewName.$(write)."".3.$(noAuthNoPriv) = "internet" vacmAccessNotifyViewName.$(write)."".3.$(noAuthNoPriv) = "internet" #Read-write-notify access for SNMPv3 USM users with authNoPriv vacmAccessStatus.$(write)."".3.$(authNoPriv) = 4 vacmAccessReadViewName.$(write)."".3.$(authNoPriv) = "internet" vacmAccessWriteViewName.$(write)."".3.$(authNoPriv) = "internet" vacmAccessNotifyViewName.$(write)."".3.$(authNoPriv) = "internet" #Read-write-notify access to restricted for SNMPv3 USM users with authPriv vacmAccessStatus.$(write)."".3.$(authPriv) = 4 vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted" vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted" vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted" The snmp_vacm(3) module may be used separately from the snmp_usm(3) module. In case the snmp_usm(3) is not loaded, the snmp_vacm(3) will grant access to the MIB objects in bsnmpd(1) to SNMPv1/v2c users. SNMPv1/v2c user names must match the configured read/wqrite communities in the snmpd.config file. Both modules may be be also configured via SNMP SET requests, but such configuration is not persistent between reboots of bsnmpd(1). bsnmptools(1) may be used to query OID values from bsmnpd(1), the bsnmpget(1) man page specifies all the available command line options that may be passed to the tools. In the simplest case, given that the SNMPUSER, SNMPPASSWD, SNMPAUTH, SNMPPRIV environment variables are set, with SNMPv3 the bsnmptools(1) will perform authomatic engine ID discovery, calculate the correspoding localized keys for the discovered engine ID and query the agent with the appropriate options in the SNMP PDUs, for example > bsnmpwalk -v 3 mib2 Engine ID 0x80001f88809104c90f67e95b4c Boots : 148 Time : 337 Localized keys for testaes SHA : 0x1b079b0b75b7abc7776a1a24020c3a874c808004 AES : 0x1b079b0b75b7abc7776a1a24020c3a87 sysDescr.0 = prometheus 1108790616 FreeBSD 9.0-CURRENT sysObjectId.0 = begemotSnmpdAgentFreeBSD sysUpTime.0 = 36605 sysContact.0 = syrinx@FreeBSD.org sysName.0 = prometheus sysLocation.0 = Somewhere in Europe sysServices.0 = 76 sysORLastChange.0 = 1 sysORID[1] = begemotSnmpdTransUdp .... Enjoy! cheers, Shteryana