Hi hwhr, thanks for
your response...
Actually, I know about openssl, and snmpd.conf.
What I need to accomplish, though, is to manually implement snmp
v3 message parsers and generators in C, for an embedded system.
I was originally hoping to just use net-snmp source code, but
the 66,000 lines of code in snmplib is *far* beyond what we can
absorb on our embedded platform.
As I described in my original post, I have already completed
this task for snmp v1 and v2; I just need to figure out how to
handle message digests (i.e., which portion of the message is
the digest calculated over), and what the interface is to the
openssl code which is included with net-snmp.
I've been trying to derive these answers by walking through
snmpget.c, but once it reaches into snmplib modules, it is very
convoluted and I got lost. I'm going to take another attempt at
this today, since apparently there is no other open-source code
that handles snmp v3 ...
On 04/20/16 18:32, hwhr wrote:
you must install openssl library . and modify
configure file snmpd.conf , eg.
###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent
('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be
explicitly activated
#
###############################################################################
#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/net-snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file
*only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too"
DES
# createUser internalUser MD5 "this is only ever used internally,
but still change the password"
# If you also change the usernames (which might be sensible),
# then remember to update the other occurances in this example
config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1
# Full access from the local host
#rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
rwcommunity private default -V systemonly
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full
'com2sec/group/access' configuration
# r[ou]user and r[ow]community, together with suitable views,
should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the
corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <m...@example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc"
entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all
other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk"
entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load"
entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies
of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to
be created first,
# containing the same three shell commands, before the line is
uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable,
nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec"
and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns
the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl
PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be
installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the
source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see
the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705
rwuser gaochizhen
At 2016-04-21 02:18:25, "Dan Miller" <d...@anacominc.com>
wrote:
First of all, my
company makes satellite radios, and I implemented SNMP
support (v1, v2) for our radios and switches, which use an
SoC based on ARM9 processor. I did this by using net-snmp
utilities to talk to snmpd, capturing packets in WireShark,
and reverse-engineering the various
Get/GetNext/Set/GetBulk/Trap requests and responses. This
is working well, and I can communicate successfully with our
devices, using net-snmp utilities and a Visual Studio
application.
Now we want to add v3 support... I've captured v3 comm
sequences for authNoPriv and authPriv
communications, but beyond that I'm in unknown territory...
As a starter, I thought I'd just look at the authentication
messages, and leave encryption for later, but I can't even
figure out how to match the MD5 messages that I see in the
packets; for one thing, all the MD5 utilities that I've
seen, generate 16-byte messages, while the MD5 data (msgAuthParams)
in these messages is only 12 bytes. Beyond that, I don't
know what portion of the messages the digest is generated
over.
ITM, I tried looking at snmpget, and the functions in
snmplib that this calls, but I got as far as generate_Ku()
and am completely lost!!
Are there tutorials somewhere, that will discuss at a higher
level, how to handle the message generation for auth and
encryption for snmpv3, preferably with respect to the openssl
modules ?? And will I actually need detailed understanding
of how encryption works before I can implement these
functions?
|
