Hi Martijn, Yes, it helps, thanks ! It teaches me things (I’m brand new to the world of SNMP/net-snmp), and it clearly confirms that I’ve a problem with the creation of my user.
I would like to keep the creation inside the conf file, but… well… I tried to play with different combinations inside my conf file -regarding the order- of createUser/group/view/access/rwuser, and nothing seems to work, and it seems /var/net-snmp/snmpv3d.conf is still building its file with “10.1.2.1" with usmNoPrivProtocol OID, even after having deleted it manually as you suggested. I didn’t try snmpusm, I didn’t build it (yet). ---- agentAddress udp:161 createUser vincent SHA "myPassPhrase" DES "myPrivAuthPhrase" group grouptboxusmv3 usm vincent view viewalltboxmibs included .1 access grouptboxusmv3 "" any priv exact viewalltboxmibs viewalltboxmibs none rwuser -s usm vincent priv -V viewalltboxmibs De : Martijn van Duren <nets...@list.imperialat.at> Envoyé : lundi 29 janvier 2024 18:28 À : Vincent Gilson <vincent.gil...@ovarro.com> Cc : net-snmp-coders@lists.sourceforge.net Objet : Re: SNMPv3 DES issue [You don't often get email from nets...@list.imperialat.at. Learn why this is important at https://aka.ms/LearnAboutSend͏͏ [External email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7e03ff85fcc9575c14257&lang=en> [Contains topics of a financial nature]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7e03ff85fcc9575c14257&lang=en> [You don't often get email from nets...@list.imperialat.at<mailto:nets...@list.imperialat.at>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hello Vincent, Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not too familiar with the net-snmp's quirks. That out of the way I think I have a decent idea where the problem comes from and would be more clear if you load the SNMP-USER-BASED-SM-MIB for more human readable output. If you look at the following line from the highlights you'll find: > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, > User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1 Where SNMPv2-SMI::snmpModules.10.1.2.1 is SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user is created without a privacy option. Looking a bit up we find: > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 > 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL > .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 > .1.3.6.1.6.3.10.1.2.1 0x 0x Where the last OID is the same usmNoPrivProtocol. So here's my speculation: I've always been told that using createUser inside the conf file works, but can cause problems. I think you've hit one of those problems and that you've created the user Vincent before without a privacy option and it doesn't update its internal definition. My solution (again, not sure if this is the best way) is to either manually remove the appropriate usmUser line from /var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to remove it over the wire via snmpusm(1) (not sure if this works with your daemon) and restart your daemon. Hope this helps. Martijn On Mon, 2024-01-29 at 13:08 +0000, Vincent Gilson wrote: > > > > Hi Martijn, > > Thanks for your feedback! > > I’m not using the snmpd command line daemon as I handle it in my own Linux > application, so I couldn’t start it with -Dusm. But I’m guessing calling > debug_enable_token_logs("usm"); in my application could do the trick… Anyway, > I activated the (debug) logs, and the user ‘vincent’ seems to be created > correctly, but I’m not sure. > > The request frame tells ‘unsupported security level’, which confirms it, but > I still don’t know why. > > Any ideas ? > > ((( I put what seems important to me at first (see “highlights” below), but I > may have missed something so I added more details (see “In details “) under > it. ))) > > Regards, > Vincent. > > ================================================================= > Highlights : > ============ > > ------------------------- > Reading config file : > ------------------------- > > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser > vincent SHA myauthpw DES myPrivAuthPhrase > … > read_config:parser: Found a parser. Calling it: createUser / vincent SHA > myauthpw DES myPrivAuthPhrase > … > 9:usmUser: truncating privKeyLen from 20 to 16 > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792: > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65 > … > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s > usm vincent priv > trace: run_config_handler(): read_config.c, 543: > read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871: > rwuser: setting auth level: "priv" > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013: > rwuser: passing: group grpvincent usm "vincent" > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052: > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_ > … > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 > 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 > 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x > trace: run_config_handler(): read_config.c, 563: > 9:read_config:parser: usmUser handler not registered for this time > … > > ------------------------- > Request handling : > ------------------------- > usm: match on user vincent > trace: usm_check_secLevel(): snmpusm.c, 2738: > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1 > trace: usm_check_secLevel(): snmpusm.c, 2747: > usm: Level: 3 > trace: usm_check_secLevel(): snmpusm.c, 2748: > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User > Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1 > trace: usm_process_in_msg(): snmpusm.c, 2980: > usm: Unsupported Security Level (3). > trace: snmpv3_parse(): snmp_api.c, 3994: > dumph_recv: ScopedPDU > trace: _snmp_parse(): snmp_api.c, 4401: > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM > unsupported security level (this user has not been configured for that level > of security) > > > > ================================================================= > ================================================================= > ================================================================= > In details : > ============ > > trace: read_config(): read_config.c, 853: > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser > vincent SHA myauthpw DES myPrivAuthPhrase > trace: read_config(): read_config.c, 981: > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser > vincent SHA myauthpw DES myPrivAuthPhrase > trace: run_config_handler(): read_config.c, 543: > read_config:parser: Found a parser. Calling it: createUser / vincent SHA > myauthpw DES myPrivAuthPhrase > trace: sc_get_auth_oid(): scapi.c, 417: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_get_openssl_hashfn(): scapi.c, 634: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_hash(): scapi.c, 889: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_hash_type(): scapi.c, 942: > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_get_openssl_hashfn(): scapi.c, 634: > trace: usm_create_usmUser_from_string(): snmpusm.c, 4655: > 9:usmUser: privProtocol DES > trace: sc_get_priv_alg_bytype(): scapi.c, 248: > trace: usm_create_usmUser_from_string(): snmpusm.c, 4662: > 9:usmUser: pai usmDESPrivProtocol > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_get_openssl_hashfn(): scapi.c, 634: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_hash(): scapi.c, 889: > trace: sc_get_authtype(): scapi.c, 341: > trace: sc_find_auth_alg_byoid(): scapi.c, 269: > trace: sc_hash_type(): scapi.c, 942: > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398: > trace: sc_find_auth_alg_bytype(): scapi.c, 316: > trace: sc_get_openssl_hashfn(): scapi.c, 634: > trace: usm_create_usmUser_from_string(): snmpusm.c, 4779: > 9:usmUser: truncating privKeyLen from 20 to 16 > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792: > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65 > trace: read_config(): read_config.c, 853: > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s > usm vincent priv > trace: read_config(): read_config.c, 981: > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s > usm vincent priv > trace: run_config_handler(): read_config.c, 543: > read_config:parser: Found a parser. Calling it: rwuser / -s usm vincent priv > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871: > rwuser: setting auth level: "priv" > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013: > rwuser: passing: group grpvincent usm "vincent" > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052: > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_ > > … > > 9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 > 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 > 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x > trace: read_config(): read_config.c, 981: > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 > 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 > 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x > trace: run_config_handler(): read_config.c, 563: > 9:read_config:parser: usmUser handler not registered for this time > > … > > usm: match on user vincent > trace: usm_check_secLevel(): snmpusm.c, 2738: > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1 > trace: usm_check_secLevel(): snmpusm.c, 2747: > usm: Level: 3 > trace: usm_check_secLevel(): snmpusm.c, 2748: > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User > Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1 > trace: usm_process_in_msg(): snmpusm.c, 2980: > usm: Unsupported Security Level (3). > trace: snmpv3_parse(): snmp_api.c, 3994: > dumph_recv: ScopedPDU > trace: _snmp_parse(): snmp_api.c, 4401: > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM > unsupported security level (this user has not been configured for that level > of security) > > > > > > > > > > De : Martijn van Duren > <nets...@list.imperialat.at<mailto:nets...@list.imperialat.at>> > Envoyé : samedi 27 janvier 2024 10:33 > À : Vincent Gilson > <vincent.gil...@ovarro.com<mailto:vincent.gil...@ovarro.com>>; > net-snmp-coders@lists.sourceforge.net<mailto:net-snmp-coders@lists.sourceforge.net> > Objet : Re: SNMPv3 DES issue > > > > > [You don't often get email from > nets...@list.imperialat.at<mailto:nets...@list.imperialat.at>. Learn why this > is important at https://aka.ms/LearnAboutSenderIdentification ] > > ATTENTION : cet email a été envoyé par une source externe à notre enterprise. > Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne > connaissez pas l'expéditeur et n'êtes pas sûrs du contenu. > > > Nothing stands out to me at a first glance. What does running snmpd with > -Dusm give you for extra information? > > Sincerely, > > Martijn van Duren > > On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote: > > > > > > > > Hello ! > > > > I’m working on a net-snmp agent integrated into an industrial embedded > > system (ARM-based). > > The agent is working perfectly for v1 and v2c, and also with v3 and > > ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client. > > But SHA and DES/AES is not working : > > > > My snmpd.conf : > > > > # Listening connections : > > agentAddress udp:161 > > # > > # User list : > > createUser myuser MD5 authpass > > rouser myuser > > createUser vincent SHA authpass DES privauthpass > > rwuser vincent priv > > > > GET an integer with SNMPv3 is working for user “myuser” (configured with > > ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for > > user “vincent" (configured with ‘authPriv’ in SnmpB) : embedded agent > > returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, > > see wireshark trace below) . Same problem occurs with AES. > > > > Why is it not supported ? > > I tried different combinations with ‘createUser’ adding ‘priv’ on it, or > > add it at the end of ‘rwuser’ > > I didn’t see something relevant into the snmpd.log, so I guess the openssl > > is correctly loaded. > > > > I don’t know what I’m missing. Could you help me please ? > > Many thanks ! > > > > Vincent. > > > > ----->>> > > > > Some useful resources : > > > > My install switches : > > > > ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \ > > --disable-applications --enable-debugging --disable-embedded-perl > > --without-perl-modules \ > > --enable-reentrant \ > > --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) > > --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \ > > --with-openssl=$(LIB_DIRS) \ > > --without-rpm \ > > --with-logfile="/tmp/var/snmpd.log" \ > > --with-default-snmp-version="3" \ > > --with-transports="UDP,TCP,DTLSUDP,TLSTCP" > > --with-security-modules="usm,tsm" \ > > --with-sys-contact="vincent.gil...@ovarro.com<mailto:vincent.gil...@ovarro.com>" > > \ > > --with-sys-location="Ovarro" \ > > --with-persistent-directory="/var/net-snmp" \ > > --enable-shared=yes --enable-static=no --enable-tagCC-libtool > > > > Wireshark capture (request of SnmpB, followed by answer from embedded > > net-snmp agent) : > > > > No. Time Source Destination Protocol > > Length Info > > 4488 49.862297 10.65.84.14 172.25.110.169 SNMP > > 183 encryptedPDU: privKey Unknown > > > > Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) > > on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0 > > Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 > > (00:11:22:33:44:55) > > Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169 > > User Datagram Protocol, Src Port: 49987, Dst Port: 161 > > Simple Network Management Protocol > > msgVersion: snmpv3 (3) > > msgGlobalData > > msgID: 1572876 > > msgMaxSize: 4096 > > msgFlags: 07 > > .... .1.. = Reportable: Set > > .... ..1. = Encrypted: Set > > .... ...1 = Authenticated: Set > > msgSecurityModel: USM (3) > > msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665 > > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > > Engine Enterprise ID: net-snmp (8072) > > Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP > > Random > > Engine ID Data: 1cfa4220 > > Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid > > msgAuthoritativeEngineBoots: 17 > > msgAuthoritativeEngineTime: 67315 > > msgUserName: vincent > > msgAuthenticationParameters: 90d824057790ccf09d9cdf94 > > msgPrivacyParameters: 000000110000904f > > msgData: encryptedPDU (1) > > encryptedPDU: > > 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f… > > > > No. Time Source Destination Protocol > > Length Info > > 4496 49.945101 172.25.110.169 10.65.84.14 SNMP > > 154 report 1.3.6.1.6.3.15.1.1.1.0 > > > > Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) > > on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0 > > Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 > > (00:05:9a:3c:7a:00) > > Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14 > > User Datagram Protocol, Src Port: 161, Dst Port: 49987 > > Simple Network Management Protocol > > msgVersion: snmpv3 (3) > > msgGlobalData > > msgID: 1572876 > > msgMaxSize: 65507 > > msgFlags: 00 > > .... .0.. = Reportable: Not set > > .... ..0. = Encrypted: Not set > > .... ...0 = Authenticated: Not set > > msgSecurityModel: USM (3) > > msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665 > > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > > Engine Enterprise ID: net-snmp (8072) > > Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP > > Random > > Engine ID Data: 1cfa4220 > > Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid > > msgAuthoritativeEngineBoots: 17 > > msgAuthoritativeEngineTime: 67315 > > msgUserName: vincent > > msgAuthenticationParameters: <MISSING> > > msgPrivacyParameters: <MISSING> > > msgData: plaintext (0) > > plaintext > > contextEngineID: 80001f88801cfa42209b6fa665 > > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > > Engine Enterprise ID: net-snmp (8072) > > Engine ID Format: Reserved/Enterprise-specific (128): > > Net-SNMP Random > > Engine ID Data: 1cfa4220 > > Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 > > Paris, Madrid > > contextName: > > data: report (8) > > report > > request-id: 0 > > error-status: noError (0) > > error-index: 0 > > variable-bindings: 1 item > > 1.3.6.1.6.3.15.1.1.1.0: 10 > > Object Name: > > > > (iso.3.6.1.6.3.15.1.1.1.0) > > Value (Counter32): 10 > > > > > > _______________________________________________ > > Net-snmp-coders mailing list > > Net-snmp-coders@lists.sourceforge.net<mailto:Net-snmp-coders@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >
_______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
