On Sat, 2005-08-20 at 21:00 -0700, David T. Perkins wrote:
> I have file snmptrapd.conf with contents:
> createUser bobby MD5 socks2go
> createUser fred
>
> I started snmptrapd with the following command line:
> snmptrapd -f -Le -d -F "%A: %W %v" UDP:40162
>
> When I send a v1 or v2c trap, I get the packet dump
> and a decode. But when I send a v3/USM trap I get
> just a packet dump.
It looks as if this is probably due to the handling of
engineIDs. I found that sending a v3/USM trap was
discarded (as you describe) but a v3/USM inform request
was processed successfully.
Closer investigation confirmed this - the SNMPv3 parsing
code will drop any PDU that refers to an unknown user,
which means matching both the user name *and* the security
engine ID.
*Generating* SNMPv3 requests will happily ignore an
unknown security name for noAuthNoPriv requests, but
receiving them (currently) requires a proper match.
We could weaken that to match the outbound case, but
it wouldn't help with authenticated requests (which
is the main point of SNMPv3 after all!)
If you know the engineID of the trap generator in advance,
then
createUser -e xxxxxx user ....
would allow you to set this up in the trap receiver.
But that feels a bit cumbersome - particularly given
the semi-random nature of Net-SNMP engine IDs.
I'm wondering whether we need to support a "wildcard"
engineID mechanism. Something like
createUser -e * user ....
which would match the specified username with *any* engineID.
What do people think?
> also, how can I tell
> if the pass phrase matches for authNoPriv or authPriv?
Well, if the pass phrase doesn't match, then the incoming
PDU will be discarded. So if the notification gets as
far as the trap handler, then you know that the pass
phrase must have matched.
Dave
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
