Re: Secure access to agent

Tue, 28 Sep 2004 06:41:37 -0700 

        [Probably a bit late now, but this
         doesn't seem to have been answered yet ]


> I want to limit access to the net-snmp agent (snmpd) to only secure
> (encrypted) channels.  In the simplest case, I can include rouser
> and rwuser in snmpd.conf and omit rocommunity and rwcommunity.
>  Is that right?   

Yes.
If there are no access control setting to allow community-based requests
(either "r[ow]community" or v1/v2c based "access" entries) then such
requests will be dropped.


> If i want to get a little more sophisitcated,
> I can omit v1 and v2c from my group table like:
> 
>   #                   sec.model  sec.name
>   # group MyRWGroup   v1         local
>   # group MyRWGroup   v2c        local
>   group MyRWGroup     usm        local
>   # group MyROGroup v1         mynetwork
>   # group MyROGroup v2c        mynetwork
>   group MyROGroup usm        mynetwork
> 
> Is that right?

Correct.
That would only allow SNMPv3 requests (assuming suitable "access" lines)
and deny community-basded ones.

Note that this doesn't itself block unauthenticated, or authenticated
but unencrypted SNMPv3 requests.   That's the task of the "access" line.

 
> What if I want a local user/community to use within a configuration
> utility but never want remote, unencrypted access.  I'd include the
> MyRWGroup/v2c line above, right?

Ummm...
If you want to allow community-based requests from a particular network,
then the easiest approach is something like

        rocommunity mycommunity   10.0.0.0/8

Alternatively, you could apply the same restriction to setting the
(internal) security name:

        com2sec mynetwork 10.0.0.0/8 mycommunity

and then use the group/view/access lines as before.


> Finally, am I correct that in v5.1.x, there's no way to compile v1 or v2c
> out of the agent?  The best I can do is not configure insecure access?


Correct.

Dave 



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Net-snmp-users mailing list
[EMAIL PROTECTED]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Reply via email to