On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
wrote:
> Hi ,
>
> Thanks for the information Bill. So --with-transports="DTLSUDP"
> --with-security-modules="tsm" are not required but simply
> --enable-blumenthal-aes
>
> So I compiled the agent using the following configuration:
>
> ./configure --disable-embedded-perl
> --without-perl-modules with_endianness=big
> --enable-mini-agent --with-default-snmp-version="3"
> --disable-debugging
> --with-sys-contact="who@where"
> --with-logfile="/var/log/snmp"
> --with-transports="UDP TCP"
> --enable-blumenthal-aes
>
> In snmpd.conf I have:
>
> createUser user MD5 "authpw-00"
> rwuser user
>
> createUser user1 MD5 "authpw-00" AES "default-00"
> rwuser user1
>
> createUser user2 MD5 "authpw-00" AES192 "default-00"
> rwuser user2
>
> 1) The error message unknown privProtocol has disappeared from log file.
> 2) From the MIB browser, I do a GET on one of the OID using user (noPriv)
> and it works fine.
> 3) From the MIB browser, I do a GET on one of the OID using user2 using
> AES-128 and it works fine .
> 4) From the MIB browser, I do a GET on one of the OID using user3 using
> AES-192 and it DOES NOT work! I get the following error in the log file:
>
> security service 3 error parsing ScopedPDU
>
> What I am missing?
>
There are two ways to take a short auth key and lengthen it for a strong
privacy algorithm. Two things to try:
1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco"
algorithm);
2. Use a stronger auth mechanism, which creates a longer auth key, which
doesn't have to be lengthened for the strong privacy algorithm, avoiding
the question of how to lengthen it. I think SHA suffices, but of course
SHA224, SHA256, SHA384 and SHA512 are available to try.
Bill
>
> On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner <fen...@gmail.com> wrote:
>
>> Simon,
>>
>> The USM AES192 and AES256 support is based upon an Internet Draft, which
>> never became a standard - therefore, you have to pass
>> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
>> the TLS transports; that's a whole different kettle of fish.)
>>
>> Bill
>>
>>
>> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
>> wrote:
>>
>>> Thanks for the tip.
>>>
>>> I did compile with the following options:
>>>
>>> --disable-embedded-perl
>>> --without-perl-modules with_endianness=big
>>> --enable-mini-agent
>>> --with-default-snmp-version="3"
>>> --enable-ipv6
>>> --disable-debugging
>>> --with-sys-contact="who@where"
>>> --with-logfile="/var/log/snmp"
>>>
>>> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *
>>>
>>>
>>> Still when I put
>>>
>>> createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00"
>>>
>>> I get an error message:
>>>
>>> snmpd.conf: line 27: Error: unknown privProtocol
>>>
>>> So does SNMP 5.8 support AES192 and AES256?
>>> Is it another syntax I need in snmpd.conf?
>>>
>>> Thanks,
>>>
>>> S.
>>>
>>>
>>>
>>>
>>> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza <panthe...@gmail.com>
>>> wrote:
>>>
>>>> Simon,
>>>> Those options have to be enabled in the configure options. I suggest
>>>> building with the following configure options:
>>>> --with-transports="DTLSUDP" --with-security-modules="tsm"
>>>>
>>>> There might be other configure options that you need to make it work.
>>>>
>>>> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
>>>> they specified some older algorithms that were "latest and greatest"
>>>> at the time it was being drafted :(
>>>>
>>>> Thanks,
>>>> Keith
>>>> Thanks,
>>>> Keith
>>>>
>>>>
>>>> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
>>>> wrote:
>>>> >
>>>> >
>>>> >
>>>> > Hi,
>>>> >
>>>> > Does Net-SNMP support AES192 or AES256?
>>>> >
>>>> > According to this link
>>>> >
>>>> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication
>>>> _or_Encryption
>>>> >
>>>> > The short answer is Yes, starting with release 5.8 AES193 and AES256
>>>> are an
>>>> > optional configure option.
>>>> >
>>>> > So I downloaded version 5.8.pre2 and tried:
>>>> >
>>>> >
>>>> > createUser user2 SHA "passwrd-00" AES192 "default-00"
>>>> > rwuser user2
>>>> >
>>>> > createUser user3 SHA "passwrd-00" AES256 "default-00"
>>>> > rwuser user3
>>>> >
>>>> >
>>>> > Does not work. I get an error:
>>>> > snmpd.conf: line 27: Error: unknown privProtocol
>>>> > snmpd.conf: line 31: Error: unknown privProtocol
>>>> >
>>>> > Any insight will be highly appreciated.
>>>> >
>>>> > S.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > ------------------------------------------------------------
>>>> ------------------
>>>> > Check out the vibrant tech community on one of the world's most
>>>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> > _______________________________________________
>>>> > Net-snmp-coders mailing list
>>>> > Net-snmp-coders@lists.sourceforge.net
>>>> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>> >
>>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Net-snmp-coders mailing list
>>> Net-snmp-coders@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
