Saturday, March 5, 2011

Setup SNMP V3 USM with encryption.

SNMP v3 introduces advanced security which support USM(user-based security model) and data encryption,  SNMPv1 and SNMPv2 only support access control  based on community string and  send data in clear text. SNMP V3 on longer has the term: community string and (it seems) the ability to control access based on source network.
The following instructions are based on Centos 5.5 + NET-SNMP   5.3.2.2
Create user
Create user guest_user whose password is "Pass0001" and shared key for encryption is "sharedkey001"
 Put create user command into file /var/net-snmp/snmpd.conf, once snmpd restarted, the line will be deleted for security reason and the user will be created in usmUsertable
$cat /var/net-snmp/snmpd.conf
createUser guest_user     MD5 "Pass0001" DES "sharedkey001"
Grant user permission to all OIDs (.1) 
$ cat /etc/snmp/snmpd.conf
##authuser    read,write [-s secmodel] user [noauth|auth|priv [oid|-V view]]
#auth=authentication no privacy (encryption)
#priv=authentication plus privacy (encryption)
authuser   read -s usm  guest_user priv  .1
Restart snmpd
service snmpd restart
Test  by snmpget
$snmpget -v 3 -u guest_user -l Priv -a MD5 -A Pass0001 -x DES -X sharedkey001 192.168.56.31 sysName.0
NMPv2-MIB::sysName.0 = STRING: centos64.local.net
List users
$ snmptable -v 3 -u guest_user   -l Priv  -a MD5 -A Pass0001 -x DES -X sharedkey001  192.168.56.31 usmUsertable
SNMP table: SNMP-USER-BASED-SM-MIB::usmUserTable
guest_user
Add  user
#add  user guest_user2  by cloning guest_user
#The connecting user must be given write access (authuser read,write …. )  in order to add/delete users
$snmpusm -v 3 -u guest_user   -l Priv  -a MD5 -A Pass0001 -x DES -X sharedkey001  192.168.56.31 create  guest_user2  guest_user
User successfully created
Delete user
$snmpusm -v 3 -u guest_user   -l Priv  -a MD5 -A Pass0001 -x DES -X sharedkey001  192.168.56.31 delete  me2
Client configuration file snmp.conf You can put most command options in client config file: /etc/snmp/snmp.conf or  ~/.snmp/snmp.conf
$cat ~/.snmp/snmp.conf
defVersion 3
defSecurityName guest_user
defAuthType MD5
defSecurityLevel authPriv
defAuthPassphrase Pass0001
defPrivType  DES
defPrivPassphrase sharedkey001
#the long command can be simplified to
$snmpget  192.168.56.31 sysName.0
SNMPv2-MIB::sysName.0 = STRING: centos64.local.net

2 comments:

  1. Hey,
    I just hopped over to your site via Stumbleupon. Not somthing I would normally read, but I liked your thoughts none the less. Thanks for making something worth reading.


    Pgp

    ReplyDelete
  2. I’m impressed!! Really informative blog post here my friend I just wanted to comment & say keep up the quality work.

    Pgp

    ReplyDelete