Date: Wed, 8 Dec 2010 17:27:59 +0000 (UTC) From: Shteryana Shopova <syrinx@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r216300 - head/etc Message-ID: <201012081727.oB8HRxL0009889@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: syrinx Date: Wed Dec 8 17:27:59 2010 New Revision: 216300 URL: http://svn.freebsd.org/changeset/base/216300 Log: Add (disabled) sample configurations needed to enable the snmp_usm and snmp_vacm modules and minimal user/view configurations needed to for the modules to work properly. Sponsored by: The FreeBSD Foundation Reviewed by: philip@ (mostly) Approved by: philip@ Modified: head/etc/snmpd.config Modified: head/etc/snmpd.config ============================================================================== --- head/etc/snmpd.config Wed Dec 8 15:52:06 2010 (r216299) +++ head/etc/snmpd.config Wed Dec 8 17:27:59 2010 (r216300) @@ -12,6 +12,15 @@ system := 1 # FreeBSD traphost := localhost trapport := 162 +# +# Set the SNMP engine ID. +# +# The snmpEngineID object required from the SNMPv3 Framework. If not explicitly set via +# this configuration file, an ID is assigned based on the value of the +# kern.hostid variable +# engine := 0x80:0x10:0x08:0x10:0x80:0x25 +# snmpEngineID = $(engine) + # Change this! read := "public" # Uncomment begemotSnmpdCommunityString.0.2 below that sets the community @@ -19,6 +28,26 @@ read := "public" write := "geheim" trap := "mytrap" +# Declarations for SNMP-USER-BASED-SM-MIB authentication and privacy options +NoAuthProtocol := 1.3.6.1.6.3.10.1.1.1 +HMACMD5AuthProtocol := 1.3.6.1.6.3.10.1.1.2 +HMACSHAAuthProtocol := 1.3.6.1.6.3.10.1.1.3 +NoPrivProtocol := 1.3.6.1.6.3.10.1.2.1 +DESPrivProtocol := 1.3.6.1.6.3.10.1.2.2 +AesCfb128Protocol := 1.3.6.1.6.3.10.1.2.4 + +# +# SNMPv3 USM User definition +# +# The localized hex password for a user may be obtained by setting SNMPUSER, SNMPPASSWD, +# SNMPAUTH and SNMPPRIV environment variables to the desired parameters and invoking +# 'bsnmpget -v 3 -D -K -o verbose' against the running bsnmpd(1). For other +# usages refer to the bsnmpget(1) manual page. The following lines define a user "bsnmp" +# which a private password "bsnmp", localized for the above engine ID. +# +# user1 := "bsnmp" +# user1passwd := 0x1b:0x6d:0x9e:0x94:0xbe:0x19:0x17:0xfb:0xde:0x60:0x46:0xfe:0x59:0x6f:0x61:0x95:0xf2:0xc9:0x57:0x1f + # # Configuration # @@ -72,6 +101,113 @@ begemotSnmpdModulePath."mibII" = "/usr/l #begemotIfForcePoll = 2000 # +# SNMPv3 User-based security module - must be loaded for SNMPv3 USM +# +#begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so" + +# +# SNMPv3 USM User definition. +# + +#%usm + +# +# The following block creates a user with name "bsnmp" and sets privacy +# and encryption options to SHA256 message digests and AES encryption +# for this user. +# +# usmUserStatus.$(engine).$(user1) = 5 +# usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol) +# usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol) +# usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserStatus.$(engine).$(user1) = 1 +# + +# +# The following block creates a user with name "public" with no authentication +# or encyption options. +# +# usmUserStatus.$(engine).$(read) = 5 +# usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol) +# usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol) +# usmUserStatus.$(engine).$(read) = 1 +# + +# +# SNMPv3 View-based Access Control module +# +#begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so" + +# +# Definition of view-based access control entries. +# +#%vacm + +# Definition of a SNMPv1 group +# vacmSecurityToGroupStatus.1.$(read) = 4 +# vacmGroupName.1.$(read) = $(read) + +# Definition of SNMPv2 group +# vacmSecurityToGroupStatus.2.$(write) = 4 +# vacmGroupName.2.$(write) = $(write) + +# Definition of SNMPv3 group with users "bsnmp" and "public" +# vacmSecurityToGroupStatus.3.$(user1) = 4 +# vacmGroupName.3.$(user1) = $(write) +# vacmSecurityToGroupStatus.3.$(read) = 4 +# vacmGroupName.3.$(read) = $(write) + +# +# The OID of the .iso.org.dod.internet subtree +# +# internetoid := 1.3.6.1 +# internetoidlen := 4 + +# Enumerated values for the privacy options +# noAuthNoPriv := 1 +# authNoPriv := 2 +# authPriv := 3 + +# +# Definitions of two views +# +# vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4 +# vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4 + +# +# Access control +# + +# +# Read-only access for SNMPv1 users +# +# vacmAccessStatus.$(read)."".1.1 = 4 +# vacmAccessReadViewName.$(read)."".1.1 = "internet" + +# +# Read-write access for SNMPv2 users +# +# vacmAccessStatus.$(write)."".2.1 = 4 +# vacmAccessReadViewName.$(write)."".2.1 = "internet" +# vacmAccessWriteViewName.$(write)."".2.1 = "internet" + +# +# Read-write-notify access for SNMPv3 USM users with noAuthNoPriv +# +# vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessWriteViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessNotifyViewName.$(write)."".3.$(noAuthNoPriv) = "internet" + +# +#Read-write-notify access to restricted for SNMPv3 USM users with authPriv +# +# vacmAccessStatus.$(write)."".3.$(authPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted" + # Netgraph module # #begemotSnmpdModulePath."netgraph" = "/usr/lib/snmp_netgraph.so"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012081727.oB8HRxL0009889>