Hi Martijn,
Thanks for your feedback!
I’m not using the snmpd command line daemon as I handle it in my own Linux
application, so I couldn’t start it with -Dusm. But I’m guessing calling
debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I
activated the (debug) logs, and the user ‘vincent’ seems to be created
correctly, but I’m not sure.
The request frame tells ‘unsupported security level’, which confirms it, but I
still don’t know why.
Any ideas ?
((( I put what seems important to me at first (see “highlights” below), but I
may have missed something so I added more details (see “In details “) under it.
)))
Regards,
Vincent.
=================================================================
Highlights :
============
-------------------------
Reading config file :
-------------------------
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
…
read_config:parser: Found a parser. Calling it: createUser / vincent SHA
myauthpw DES myPrivAuthPhrase
…
9:usmUser: truncating privKeyLen from 20 to 16
trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
…
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm
vincent priv
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
rwuser: setting auth level: "priv"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
rwuser: passing: group grpvincent usm "vincent"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
…
read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3
0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2
0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: run_config_handler(): read_config.c, 563:
9:read_config:parser: usmUser handler not registered for this time
…
-------------------------
Request handling :
-------------------------
usm: match on user vincent
trace: usm_check_secLevel(): snmpusm.c, 2738:
comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_check_secLevel(): snmpusm.c, 2747:
usm: Level: 3
trace: usm_check_secLevel(): snmpusm.c, 2748:
usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv
Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_process_in_msg(): snmpusm.c, 2980:
usm: Unsupported Security Level (3).
trace: snmpv3_parse(): snmp_api.c, 3994:
dumph_recv: ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4401:
snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM
unsupported security level (this user has not been configured for that level of
security)
=================================================================
=================================================================
=================================================================
In details :
============
trace: read_config(): read_config.c, 853:
9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
trace: read_config(): read_config.c, 981:
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser
vincent SHA myauthpw DES myPrivAuthPhrase
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser. Calling it: createUser / vincent SHA
myauthpw DES myPrivAuthPhrase
trace: sc_get_auth_oid(): scapi.c, 417:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_hash(): scapi.c, 889:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_hash_type(): scapi.c, 942:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:
9:usmUser: privProtocol DES
trace: sc_get_priv_alg_bytype(): scapi.c, 248:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:
9:usmUser: pai usmDESPrivProtocol
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_hash(): scapi.c, 889:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_hash_type(): scapi.c, 942:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:
9:usmUser: truncating privKeyLen from 20 to 16
trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
trace: read_config(): read_config.c, 853:
9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s
usm vincent priv
trace: read_config(): read_config.c, 981:
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm
vincent priv
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
rwuser: setting auth level: "priv"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
rwuser: passing: group grpvincent usm "vincent"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
…
9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3
0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2
0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: read_config(): read_config.c, 981:
read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3
0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2
0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: run_config_handler(): read_config.c, 563:
9:read_config:parser: usmUser handler not registered for this time
…
usm: match on user vincent
trace: usm_check_secLevel(): snmpusm.c, 2738:
comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_check_secLevel(): snmpusm.c, 2747:
usm: Level: 3
trace: usm_check_secLevel(): snmpusm.c, 2748:
usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv
Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_process_in_msg(): snmpusm.c, 2980:
usm: Unsupported Security Level (3).
trace: snmpv3_parse(): snmp_api.c, 3994:
dumph_recv: ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4401:
snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM
unsupported security level (this user has not been configured for that level of
security)
De : Martijn van Duren <nets...@list.imperialat.at>
Envoyé : samedi 27 janvier 2024 10:33
À : Vincent Gilson <vincent.gil...@ovarro.com>;
net-snmp-coders@lists.sourceforge.net
Objet : Re: SNMPv3 DES issue
[You don't often get email from nets...@list.imperialat.at. Learn why this is
important at https://aka.ms/LearnAboutSend͏͏
[External
email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>
[First time
sender]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>
[This email shows signs of
phishing]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>
[You don't often get email from
nets...@list.imperialat.at<mailto:nets...@list.imperialat.at>. Learn why this
is important at https://aka.ms/LearnAboutSenderIdentification ]
ATTENTION : cet email a été envoyé par une source externe à notre enterprise.
Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne
connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.
Nothing stands out to me at a first glance. What does running snmpd with
-Dusm give you for extra information?
Sincerely,
Martijn van Duren
On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:
>
>
>
> Hello !
>
> I’m working on a net-snmp agent integrated into an industrial embedded system
> (ARM-based).
> The agent is working perfectly for v1 and v2c, and also with v3 and
> ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
> But SHA and DES/AES is not working :
>
> My snmpd.conf :
>
> # Listening connections :
> agentAddress udp:161
> #
> # User list :
> createUser myuser MD5 authpass
> rouser myuser
> createUser vincent SHA authpass DES privauthpass
> rwuser vincent priv
>
> GET an integer with SNMPv3 is working for user “myuser” (configured with
> ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for
> user “vincent" (configured with ‘authPriv’ in SnmpB) : embedded agent
> returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0,
> see wireshark trace below) . Same problem occurs with AES.
>
> Why is it not supported ?
> I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add
> it at the end of ‘rwuser’
> I didn’t see something relevant into the snmpd.log, so I guess the openssl is
> correctly loaded.
>
> I don’t know what I’m missing. Could you help me please ?
> Many thanks !
>
> Vincent.
>
> ----->>>
>
> Some useful resources :
>
> My install switches :
>
> ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
> --disable-applications --enable-debugging --disable-embedded-perl
> --without-perl-modules \
> --enable-reentrant \
> --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR)
> --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
> --with-openssl=$(LIB_DIRS) \
> --without-rpm \
> --with-logfile="/tmp/var/snmpd.log" \
> --with-default-snmp-version="3" \
> --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
> --with-sys-contact="vincent.gil...@ovarro.com<mailto:vincent.gil...@ovarro.com>"
> \
> --with-sys-location="Ovarro" \
> --with-persistent-directory="/var/net-snmp" \
> --enable-shared=yes --enable-static=no --enable-tagCC-libtool
>
> Wireshark capture (request of SnmpB, followed by answer from embedded
> net-snmp agent) :
>
> No. Time Source Destination Protocol
> Length Info
> 4488 49.862297 10.65.84.14 172.25.110.169 SNMP
> 183 encryptedPDU: privKey Unknown
>
> Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on
> interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55
> (00:11:22:33:44:55)
> Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
> User Datagram Protocol, Src Port: 49987, Dst Port: 161
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 1572876
> msgMaxSize: 4096
> msgFlags: 07
> .... .1.. = Reportable: Set
> .... ..1. = Encrypted: Set
> .... ...1 = Authenticated: Set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> msgAuthoritativeEngineBoots: 17
> msgAuthoritativeEngineTime: 67315
> msgUserName: vincent
> msgAuthenticationParameters: 90d824057790ccf09d9cdf94
> msgPrivacyParameters: 000000110000904f
> msgData: encryptedPDU (1)
> encryptedPDU:
> 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
>
> No. Time Source Destination Protocol
> Length Info
> 4496 49.945101 172.25.110.169 10.65.84.14 SNMP
> 154 report 1.3.6.1.6.3.15.1.1.1.0
>
> Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on
> interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00
> (00:05:9a:3c:7a:00)
> Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
> User Datagram Protocol, Src Port: 161, Dst Port: 49987
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 1572876
> msgMaxSize: 65507
> msgFlags: 00
> .... .0.. = Reportable: Not set
> .... ..0. = Encrypted: Not set
> .... ...0 = Authenticated: Not set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> msgAuthoritativeEngineBoots: 17
> msgAuthoritativeEngineTime: 67315
> msgUserName: vincent
> msgAuthenticationParameters: <MISSING>
> msgPrivacyParameters: <MISSING>
> msgData: plaintext (0)
> plaintext
> contextEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128):
> Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris,
> Madrid
> contextName:
> data: report (8)
> report
> request-id: 0
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.6.3.15.1.1.1.0: 10
> Object Name:
>
> (iso.3.6.1.6.3.15.1.1.1.0)
> Value (Counter32): 10
>
>
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net<mailto:Net-snmp-coders@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
