From owner-svn-src-all@FreeBSD.ORG Wed Dec 8 17:27:59 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E45DA106566C; Wed, 8 Dec 2010 17:27:59 +0000 (UTC) (envelope-from syrinx@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D3BA38FC19; Wed, 8 Dec 2010 17:27:59 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB8HRxhL009891; Wed, 8 Dec 2010 17:27:59 GMT (envelope-from syrinx@svn.freebsd.org) Received: (from syrinx@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB8HRxL0009889; Wed, 8 Dec 2010 17:27:59 GMT (envelope-from syrinx@svn.freebsd.org) Message-Id: <201012081727.oB8HRxL0009889@svn.freebsd.org> From: Shteryana Shopova Date: Wed, 8 Dec 2010 17:27:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r216300 - head/etc X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2010 17:28:00 -0000 Author: syrinx Date: Wed Dec 8 17:27:59 2010 New Revision: 216300 URL: http://svn.freebsd.org/changeset/base/216300 Log: Add (disabled) sample configurations needed to enable the snmp_usm and snmp_vacm modules and minimal user/view configurations needed to for the modules to work properly. Sponsored by: The FreeBSD Foundation Reviewed by: philip@ (mostly) Approved by: philip@ Modified: head/etc/snmpd.config Modified: head/etc/snmpd.config ============================================================================== --- head/etc/snmpd.config Wed Dec 8 15:52:06 2010 (r216299) +++ head/etc/snmpd.config Wed Dec 8 17:27:59 2010 (r216300) @@ -12,6 +12,15 @@ system := 1 # FreeBSD traphost := localhost trapport := 162 +# +# Set the SNMP engine ID. +# +# The snmpEngineID object required from the SNMPv3 Framework. If not explicitly set via +# this configuration file, an ID is assigned based on the value of the +# kern.hostid variable +# engine := 0x80:0x10:0x08:0x10:0x80:0x25 +# snmpEngineID = $(engine) + # Change this! read := "public" # Uncomment begemotSnmpdCommunityString.0.2 below that sets the community @@ -19,6 +28,26 @@ read := "public" write := "geheim" trap := "mytrap" +# Declarations for SNMP-USER-BASED-SM-MIB authentication and privacy options +NoAuthProtocol := 1.3.6.1.6.3.10.1.1.1 +HMACMD5AuthProtocol := 1.3.6.1.6.3.10.1.1.2 +HMACSHAAuthProtocol := 1.3.6.1.6.3.10.1.1.3 +NoPrivProtocol := 1.3.6.1.6.3.10.1.2.1 +DESPrivProtocol := 1.3.6.1.6.3.10.1.2.2 +AesCfb128Protocol := 1.3.6.1.6.3.10.1.2.4 + +# +# SNMPv3 USM User definition +# +# The localized hex password for a user may be obtained by setting SNMPUSER, SNMPPASSWD, +# SNMPAUTH and SNMPPRIV environment variables to the desired parameters and invoking +# 'bsnmpget -v 3 -D -K -o verbose' against the running bsnmpd(1). For other +# usages refer to the bsnmpget(1) manual page. The following lines define a user "bsnmp" +# which a private password "bsnmp", localized for the above engine ID. +# +# user1 := "bsnmp" +# user1passwd := 0x1b:0x6d:0x9e:0x94:0xbe:0x19:0x17:0xfb:0xde:0x60:0x46:0xfe:0x59:0x6f:0x61:0x95:0xf2:0xc9:0x57:0x1f + # # Configuration # @@ -72,6 +101,113 @@ begemotSnmpdModulePath."mibII" = "/usr/l #begemotIfForcePoll = 2000 # +# SNMPv3 User-based security module - must be loaded for SNMPv3 USM +# +#begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so" + +# +# SNMPv3 USM User definition. +# + +#%usm + +# +# The following block creates a user with name "bsnmp" and sets privacy +# and encryption options to SHA256 message digests and AES encryption +# for this user. +# +# usmUserStatus.$(engine).$(user1) = 5 +# usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol) +# usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol) +# usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd) +# usmUserStatus.$(engine).$(user1) = 1 +# + +# +# The following block creates a user with name "public" with no authentication +# or encyption options. +# +# usmUserStatus.$(engine).$(read) = 5 +# usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol) +# usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol) +# usmUserStatus.$(engine).$(read) = 1 +# + +# +# SNMPv3 View-based Access Control module +# +#begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so" + +# +# Definition of view-based access control entries. +# +#%vacm + +# Definition of a SNMPv1 group +# vacmSecurityToGroupStatus.1.$(read) = 4 +# vacmGroupName.1.$(read) = $(read) + +# Definition of SNMPv2 group +# vacmSecurityToGroupStatus.2.$(write) = 4 +# vacmGroupName.2.$(write) = $(write) + +# Definition of SNMPv3 group with users "bsnmp" and "public" +# vacmSecurityToGroupStatus.3.$(user1) = 4 +# vacmGroupName.3.$(user1) = $(write) +# vacmSecurityToGroupStatus.3.$(read) = 4 +# vacmGroupName.3.$(read) = $(write) + +# +# The OID of the .iso.org.dod.internet subtree +# +# internetoid := 1.3.6.1 +# internetoidlen := 4 + +# Enumerated values for the privacy options +# noAuthNoPriv := 1 +# authNoPriv := 2 +# authPriv := 3 + +# +# Definitions of two views +# +# vacmViewTreeFamilyStatus."internet".$(internetoidlen).$(internetoid) = 4 +# vacmViewTreeFamilyStatus."restricted".$(internetoidlen).$(internetoid) = 4 + +# +# Access control +# + +# +# Read-only access for SNMPv1 users +# +# vacmAccessStatus.$(read)."".1.1 = 4 +# vacmAccessReadViewName.$(read)."".1.1 = "internet" + +# +# Read-write access for SNMPv2 users +# +# vacmAccessStatus.$(write)."".2.1 = 4 +# vacmAccessReadViewName.$(write)."".2.1 = "internet" +# vacmAccessWriteViewName.$(write)."".2.1 = "internet" + +# +# Read-write-notify access for SNMPv3 USM users with noAuthNoPriv +# +# vacmAccessStatus.$(write)."".3.$(noAuthNoPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessWriteViewName.$(write)."".3.$(noAuthNoPriv) = "internet" +# vacmAccessNotifyViewName.$(write)."".3.$(noAuthNoPriv) = "internet" + +# +#Read-write-notify access to restricted for SNMPv3 USM users with authPriv +# +# vacmAccessStatus.$(write)."".3.$(authPriv) = 4 +# vacmAccessReadViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessWriteViewName.$(write)."".3.$(authPriv) = "restricted" +# vacmAccessNotifyViewName.$(write)."".3.$(authPriv) = "restricted" + # Netgraph module # #begemotSnmpdModulePath."netgraph" = "/usr/lib/snmp_netgraph.so"