I probably know less than you, but I really would like to understand before this product gets released. In my case, the command does work, and the user is created, but there are some significant differences in our setups. The main one appears to be that I have my 'createuser' directive in the persistent config file rather than in the static config file (because that's what the docs told me to do). Of course, it could have to do with build options as well. My install is a FreeBSD port, and I just built with the defaults.
On Thu, Oct 20, 2011 at 2:54 PM, Gary Dunlap <gary.dun...@dothill.com> wrote: > I tried a similar snmpusm command, and it's rejected with an authorization > error, with "access denied to that object". I don't really know enough about > usm/vacm, etc. to know what prevents another user from being created. If > there's a security hole here I'd definitely be interested in knowing that. > > -----Original Message----- > From: Brian Jones [mailto:babe...@gmail.com] > Sent: Thursday, October 20, 2011 3:22 PM > To: Gary Dunlap > Cc: net-snmp-users@lists.sourceforge.net > Subject: Re: net-snmp security conundrum > > So If I'm sitting on your network somewhere, and I issue the following > command, what happens? > > snmpusm -v 3 -u secureUser -a MD5 -A whoAreYou -X whoAreYou -l authPriv \ > yourAppliance create anotherUser secureUser > > Is anotherUser created? If not, can you explain to me what is > preventing anotherUser from being created? > > Are you suppressing persistent data by passing the '-C' flag to snmpd > as well? If not, what ends up in your persistent data file > (/var/net-snmp/snmpd.conf by default) the next time you -HUP snmpd? > > > > > On Thu, Oct 20, 2011 at 1:25 PM, Gary Dunlap <gary.dun...@dothill.com> wrote: >> >> My implementation is on a local linux system, also for a product appliance, >> and I don't have the notion of a remote station updating it. So it's not >> updated via MIBs. >> >> >> >> I let v1/v2c users discover MIB-II info but restrict them from the rest, if >> there are any SNMPv3 users defined. I'd be interested to know if that meets >> the community's definition of SNMPv3/v2 coexistence. I didn't find much by >> researching it. >> >> >> >> So below is an example snmpd.conf that configures a v3 user, but lets v2 >> users be controlled by community strings and limited to a particular view. >> >> >> >> # cat snmpd.conf >> >> rwuser secureUser >> >> createUser secureUser MD5 "whoAreYou" DES "whoAreYou" >> >> trapsink 10.134.1.9 >> >> view mgmtprivate included .1.3.6.1.2.1.1 >> >> view mgmtprivate included .1.3.6.1.4 >> >> rocommunity public default -V mgmtprivate >> >> rwcommunity private default -V mgmtprivate >> >> trapcommunity public >> >> engineIDType 3 >> >> >> >> From: Brian Jones [mailto:babe...@gmail.com] >> Sent: Thursday, October 20, 2011 2:13 PM >> To: Gary Dunlap >> Cc: -snmp-us...@lists.sourceforge.net >> >> Subject: Re: net-snmp security conundrum >> >> >> >> How do you handle the case of a user created via snmp from a remote >> station? In this case the GUI would have no idea about that user. Do you >> simply not allow rwusers? or rwcommunities if you are also supporting 1,2c? >> >> On Thu, Oct 20, 2011 at 1:03 PM, Gary Dunlap <gary.dun...@dothill.com> wrote: >> >> Are you talking about snmpd? I just edit/recreate snmpd.conf to match the >> users defined in the GUI, then give snmpd the interrupt to re-read >> snmpd.conf. As far as which snmpd.conf, it's the one supplied when starting >> snmpd, in my case "-c/cfg/etc/config/snmpd.conf". >> >> >> >> Gary >> >> >> >> From: Brian Jones [mailto:babe...@gmail.com] >> Sent: Thursday, October 20, 2011 1:46 PM >> To: net-snmp-users@lists.sourceforge.net >> Subject: net-snmp security conundrum >> >> >> >> I am trying to write a GUI for net-snmp on a FreeBSD based appliance and I >> am struggling with the security model. The way I see it, I can >> create/modify usmUsers in one of two ways. >> >> 1) via directly editing the static and persistent config files >> 2) via commands like snmpuser >> >> >> If I chose method 1, then I need some way to associate the rouser/rwuser >> line in the static config with the appropriate usmUser line in the >> persistent config, and I can't seem to find a way to do that. >> >> If I choose method 2, then I need to have an rwuser for use by the GUI whose >> password can only be modified from localhost. I suspect this might be >> possible to do using views, but I sure haven't been able to figure it out >> yet. >> >> >> Thoughts, comments, opinions, please. >> >> > ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
