On 16 February 2010 13:41, Bell, Adam <adam.b...@safenet-inc.com> wrote: > That is a huge security hole. In fact knowing this, we will have to add some > kind of extension to explicitely disallow Any packet that is not > authenticated.
Why? If you configure the agent using "rouser" then this will reject any unauthenticated request. (Since the default is to accept only authNoPriv or authPriv requests) > Vacm does not solve this either because anyone could spoof > the user name in the un-authenticated packet. The user name could be spoofed - yes. But that wouldn't benefit the attacker, since the unauthenticated request would then be rejected by the VACM processing. Remember, VACM allows you to insist that all requests are authenticated before they are processed. Try it for yourself if you don't believe me. Configure the agent using "rouser", and then send a request using -l noauth. This will fail. Dave ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
