Test results (omitted rwuser instruction for brevity):
createUser user0 MD5 "authpw-00" Works
createUser user1 MD5 "authpw-00" AES "default-00" Works
createUser user2 MD5 "authpw-00" AES192 "default-00" FAILED
createUser user2c MD5 "authpw-00" AES192C "default-00" Works
createUser user3 SHA "authpw-00" AES192 "default-00" FAILED
createUser user3c SHA "authpw-00" AES192C "default-00" Works
createUser user4 SHA "authpw-00" AES256 "default-00" FAILED
createUser user4c SHA "authpw-00" AES256C "default-00" Works
In summary, it works when 'C' is added ("Cisco" algorithm);
Unfortunately I couldn't try SHA224, SHA256, SHA384 and SHA512 since my
browser supports only SHA96
Thank you Bill !!
Simon
On Mon, Apr 9, 2018 at 4:13 PM, Bill Fenner <fen...@gmail.com> wrote:
> On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
> wrote:
>
>> Hi ,
>>
>> Thanks for the information Bill. So --with-transports="DTLSUDP"
>> --with-security-modules="tsm" are not required but simply
>> --enable-blumenthal-aes
>>
>> So I compiled the agent using the following configuration:
>>
>> ./configure --disable-embedded-perl
>> --without-perl-modules with_endianness=big
>> --enable-mini-agent --with-default-snmp-version="3"
>> --disable-debugging
>> --with-sys-contact="who@where"
>> --with-logfile="/var/log/snmp"
>> --with-transports="UDP TCP"
>> --enable-blumenthal-aes
>>
>> In snmpd.conf I have:
>>
>> createUser user MD5 "authpw-00"
>> rwuser user
>>
>> createUser user1 MD5 "authpw-00" AES "default-00"
>> rwuser user1
>>
>> createUser user2 MD5 "authpw-00" AES192 "default-00"
>> rwuser user2
>>
>> 1) The error message unknown privProtocol has disappeared from log file.
>> 2) From the MIB browser, I do a GET on one of the OID using user
>> (noPriv) and it works fine.
>> 3) From the MIB browser, I do a GET on one of the OID using user2 using
>> AES-128 and it works fine .
>> 4) From the MIB browser, I do a GET on one of the OID using user3 using
>> AES-192 and it DOES NOT work! I get the following error in the log file:
>>
>> security service 3 error parsing ScopedPDU
>>
>> What I am missing?
>>
>
> There are two ways to take a short auth key and lengthen it for a strong
> privacy algorithm. Two things to try:
>
> 1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco"
> algorithm);
> 2. Use a stronger auth mechanism, which creates a longer auth key, which
> doesn't have to be lengthened for the strong privacy algorithm, avoiding
> the question of how to lengthen it. I think SHA suffices, but of course
> SHA224, SHA256, SHA384 and SHA512 are available to try.
>
> Bill
>
>
>>
>> On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner <fen...@gmail.com> wrote:
>>
>>> Simon,
>>>
>>> The USM AES192 and AES256 support is based upon an Internet Draft, which
>>> never became a standard - therefore, you have to pass
>>> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or
>>> the TLS transports; that's a whole different kettle of fish.)
>>>
>>> Bill
>>>
>>>
>>> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
>>> wrote:
>>>
>>>> Thanks for the tip.
>>>>
>>>> I did compile with the following options:
>>>>
>>>> --disable-embedded-perl
>>>> --without-perl-modules with_endianness=big
>>>> --enable-mini-agent
>>>> --with-default-snmp-version="3"
>>>> --enable-ipv6
>>>> --disable-debugging
>>>> --with-sys-contact="who@where"
>>>> --with-logfile="/var/log/snmp"
>>>>
>>>> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" *
>>>>
>>>>
>>>> Still when I put
>>>>
>>>> createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00"
>>>>
>>>> I get an error message:
>>>>
>>>> snmpd.conf: line 27: Error: unknown privProtocol
>>>>
>>>> So does SNMP 5.8 support AES192 and AES256?
>>>> Is it another syntax I need in snmpd.conf?
>>>>
>>>> Thanks,
>>>>
>>>> S.
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza <panthe...@gmail.com>
>>>> wrote:
>>>>
>>>>> Simon,
>>>>> Those options have to be enabled in the configure options. I suggest
>>>>> building with the following configure options:
>>>>> --with-transports="DTLSUDP" --with-security-modules="tsm"
>>>>>
>>>>> There might be other configure options that you need to make it work.
>>>>>
>>>>> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256;
>>>>> they specified some older algorithms that were "latest and greatest"
>>>>> at the time it was being drafted :(
>>>>>
>>>>> Thanks,
>>>>> Keith
>>>>> Thanks,
>>>>> Keith
>>>>>
>>>>>
>>>>> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian <simon.chaml...@mpbc.ca>
>>>>> wrote:
>>>>> >
>>>>> >
>>>>> >
>>>>> > Hi,
>>>>> >
>>>>> > Does Net-SNMP support AES192 or AES256?
>>>>> >
>>>>> > According to this link
>>>>> >
>>>>> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication
>>>>> _or_Encryption
>>>>> >
>>>>> > The short answer is Yes, starting with release 5.8 AES193 and AES256
>>>>> are an
>>>>> > optional configure option.
>>>>> >
>>>>> > So I downloaded version 5.8.pre2 and tried:
>>>>> >
>>>>> >
>>>>> > createUser user2 SHA "passwrd-00" AES192 "default-00"
>>>>> > rwuser user2
>>>>> >
>>>>> > createUser user3 SHA "passwrd-00" AES256 "default-00"
>>>>> > rwuser user3
>>>>> >
>>>>> >
>>>>> > Does not work. I get an error:
>>>>> > snmpd.conf: line 27: Error: unknown privProtocol
>>>>> > snmpd.conf: line 31: Error: unknown privProtocol
>>>>> >
>>>>> > Any insight will be highly appreciated.
>>>>> >
>>>>> > S.
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > ------------------------------------------------------------
>>>>> ------------------
>>>>> > Check out the vibrant tech community on one of the world's most
>>>>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> > _______________________________________________
>>>>> > Net-snmp-coders mailing list
>>>>> > Net-snmp-coders@lists.sourceforge.net
>>>>> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>>> >
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Net-snmp-coders mailing list
>>>> Net-snmp-coders@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
