Dave,
Thanks for the insight! Really appreciate it!
I think using the standard snmpd.conf configuration directives, I might
still be able to deny access to a particular community from a particular host
or subnet. Here's what I plan to do. Please, tell me if this is logically wrong!
# doomedGrp contains all the folks who wont be allowed access.
# context sec.model sec.level
prefix read write notify
access doomedGrp "" any noauth
exact none none none
# ADD THE FOLLOWING FOR EACH OF THE HOST + COMMUNITY COMBO U WANNA BLOCK!
# sec.name source
community
com2sec not2allow<1> <specified host/subnet>/<mask> <the
specified doomed community>
# sec.model
sec.name
group doomedGrp v1
not2allow<1>
group doomedGrp v2c
not2allow<1>
group doomedGrp usm
not2allow<1>
Any help is very much appreciated!
-Arijit
----- Original Message ----
From: Dave Shield <[EMAIL PROTECTED]>
To: arijit <[EMAIL PROTECTED]>
Cc: net-snmp net-snmp <[email protected]>
Sent: Monday, January 7, 2008 2:41:26 PM
Subject: Re: How to deny access from only some hosts usinf vacm
On 07/01/2008, arijit <[EMAIL PROTECTED]> wrote:
> However, snmpd.conf does allow as part of com2sec specification ip
address of
> hosts(subnets) from which to allow accesses in addition to the
groupname.
> I was wondering, if net-snmp already inplements this, if the other
option of
> not allowing access from certain hosts is already there -
undocumented!
No.
Mike is quite correct. - it is not possible to implement host-specific
SNMPv3
access control.
The community-based host filtering is done at an earlier conceptual
stage,
as part of turning the community string into an (internal) security
name.
The VACM MIB works with this security name, and does not take any
notice of the source of the request. That's inherent in the design of
this
MIB - there's no hook for including such source information.
The only other option would be to use the /etc/hosts.{allow,deny}
mechanism,
which can be used to accept/block requests based on their source.
But that would work *purely* on the source - you couldn't reject
requests
with one (valid) SNMPv3 user from a given system, while accepting
requests with a different SNMPv3 user.
Dave
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
