Discussion:
Need Help on Snmpv3 AES issue
Suhasini Katuri
2017-06-27 05:50:29 UTC
Permalink
Hi All,

I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,

i'm using centos and net-snmp version is 5.7.3,

[***@centOs67-9 ~]# snmpd -v



NET-SNMP version: 5.7.3

Web: http://www.net-snmp.org/

Email: net-snmp-***@lists.sourceforge.net


1. Stop snmpd process


2. Create snmpv3 user as follows

[***@centOs67-9 ~]# net-snmp-config --create-snmpv3-user -a SHA -A
"my_password" -x AES -x "my_passwordx" sukaturi

adding the following line to /var/net-snmp/snmpd.conf:

createUser sukaturi SHA "my_password" AES my_passwordx

adding the following line to /usr/local/share/snmp/snmpd.conf:

rwuser sukaturi

3. Start snmpd process

i.e [***@centOs67-9 ~]# /usr/local/sbin/snmpd



Snmpd.conf consists of :

/var/net-snmp/snmpd.conf:



usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi" NULL
.1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""



Snmpget Operations:

-----------------------------

1. User: sukaturi

Type : authpriv


[***@centOs67-9 ~]# snmpget -v 3 -u sukaturi -l authPriv -a SHA -A
my_password -x AES -X my_passwordx localhost sysUpTime.0

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30



I've created snmpv3 user with auth and priv but when i tried to do snmpget
with authnopriv, it is accepting and giving results as follows, but it
generally need to throw a error like unsupported security level.


2. User: sukaturi

Type:authnopriv


[***@centOs67-9 ~]# snmpget -v 3 -u sukaturi -l authNoPriv -a SHA -A
my_password localhost sysUpTime.0

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22

[***@centOs67-9 ~]#

This is existing with netsnmp versions of 5.7.2 and 5.7.3.

does anybody know filed a bug for it?. I've searched in netsnmp.org haven't
find bug related to it.

Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
--
Thanks & Regards,

suhasini katuri
Pushpa Thimmaiah
2017-06-27 10:52:19 UTC
Permalink
Hi,

I faced same behaviour too with latest(27/june/2017) net-snmp-5.7.3.tar.gz
-----------------------------------------------------------------------------------
*net-snmp-5.7.3*

:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (104392) 0:17:23.92

:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (105137) 0:17:31.37

:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -l authNoPriv
192.168.122.85 iso.3.6.1.2.1.1.3.0iso.3.6.1.2.1.1.3.0 = Timeticks: (105747)
0:17:37.47

------------------------------------------------------------------------------------
*net-snmp-5.4.x*

:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
Error in packet.
Reason: authorizationError (access denied to that object)
~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (42528) 0:07:05.28
-------------------------------------------------------------------------------------


Thanks,
Pushpa.T
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do snmpget
with authnopriv, it is accepting and giving results as follows, but it
generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
--
Thanks & Regards,
suhasini katuri
Suhasini Katuri
2017-06-27 12:25:26 UTC
Permalink
Hi Pushpa,

Does anybody filed a bug for it in latest net-snmp version.

If you know about that can you share those details.

Thanks ,
Suhasini.

On Tue, Jun 27, 2017 at 4:22 PM, Pushpa Thimmaiah <
Post by Pushpa Thimmaiah
Hi,
I faced same behaviour too with latest(27/june/2017) net-snmp-5.7.3.tar.gz
------------------------------------------------------------
-----------------------
*net-snmp-5.7.3*
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (104392) 0:17:23.92
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (105137) 0:17:31.37
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -l authNoPriv
(105747) 0:17:37.47
------------------------------------------------------------
------------------------
*net-snmp-5.4.x*
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
Error in packet.
Reason: authorizationError (access denied to that object)
~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (42528) 0:07:05.28
------------------------------------------------------------
-------------------------
Thanks,
Pushpa.T
On Tue, Jun 27, 2017 at 11:20 AM, Suhasini Katuri <
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do
snmpget with authnopriv, it is accepting and giving results as follows,
but it generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
--
Thanks & Regards,
suhasini katuri
--
Thanks & Regards,

suhasini katuri
Suhasini Katuri
2017-06-27 12:41:17 UTC
Permalink
Hi Pushpa,

Thanks for information.

By looking at your mail, i got that for older branches it is working
fine.Latest branches are failing.
Does this fix integrate in future releases?.
Can you please share exact version of net-snmp has a fix for it.

Thanks,
Suhasini.

On Tue, Jun 27, 2017 at 4:22 PM, Pushpa Thimmaiah <
Post by Pushpa Thimmaiah
Hi,
I faced same behaviour too with latest(27/june/2017) net-snmp-5.7.3.tar.gz
------------------------------------------------------------
-----------------------
*net-snmp-5.7.3*
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (104392) 0:17:23.92
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 192.168.122.85 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (105137) 0:17:31.37
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -l authNoPriv
(105747) 0:17:37.47
------------------------------------------------------------
------------------------
*net-snmp-5.4.x*
:~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authNoPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
Error in packet.
Reason: authorizationError (access denied to that object)
~$ snmpwalk -v 3 -n "" -u initial -a MD5 -A "auth_pass" -x DES -X
"priv_pass" -l authPriv 10.208.207.112 iso.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (42528) 0:07:05.28
------------------------------------------------------------
-------------------------
Thanks,
Pushpa.T
On Tue, Jun 27, 2017 at 11:20 AM, Suhasini Katuri <
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do
snmpget with authnopriv, it is accepting and giving results as follows,
but it generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
--
Thanks & Regards,
suhasini katuri
--
Thanks & Regards,

suhasini katuri
Bill Fenner
2017-06-27 15:02:32 UTC
Permalink
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do snmpget
with authnopriv, it is accepting and giving results as follows, but it
generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
The documentation for the "rwuser" configuration option says that this is
the behavior that it configures, so I would not call this a bug. If you
want to force privacy, try "rwuser sukaturi priv".

Bill
Suhasini Katuri
2017-06-28 07:52:15 UTC
Permalink
Hi Bill,

I've tried by adding rwuser sukaturi priv manually to
/usr/local/share/snmp/snmpd.conf, it is giving me expected results.
Is there anyway (command) to get priv along with rwuser in
/usr/local/share/snmp/snmpd.conf without editing it mannually.


Thanks,
Suhasini.
On Tue, Jun 27, 2017 at 1:50 AM, Suhasini Katuri <
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption of
AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do
snmpget with authnopriv, it is accepting and giving results as follows,
but it generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
The documentation for the "rwuser" configuration option says that this is
the behavior that it configures, so I would not call this a bug. If you
want to force privacy, try "rwuser sukaturi priv".
Bill
--
Thanks & Regards,

suhasini katuri
Bill Fenner
2017-06-28 15:01:41 UTC
Permalink
If you are using "net-snmp-create-v3-user", then no. That would be a good
feature request to file at
https://sourceforge.net/p/net-snmp/feature-requests/new/

Bill
Post by Suhasini Katuri
Hi Bill,
I've tried by adding rwuser sukaturi priv manually to
/usr/local/share/snmp/snmpd.conf, it is giving me expected results.
Is there anyway (command) to get priv along with rwuser in
/usr/local/share/snmp/snmpd.conf without editing it mannually.
Thanks,
Suhasini.
On Tue, Jun 27, 2017 at 1:50 AM, Suhasini Katuri <
Post by Suhasini Katuri
Hi All,
I've confgured a snmpv3 user with authentication of SHA and encryption
of AES and i tried to snmget on mib object of type sysuptime. As follows,
i'm using centos and net-snmp version is 5.7.3,
NET-SNMP version: 5.7.3
Web: http://www.net-snmp.org/
1. Stop snmpd process
2. Create snmpv3 user as follows
"my_password" -x AES -x "my_passwordx" sukaturi
createUser sukaturi SHA "my_password" AES my_passwordx
rwuser sukaturi
3. Start snmpd process
usmUser 1 3 0x80001f88804bacd0564aa3165900000000 "sukaturi" "sukaturi"
NULL .1.3.6.1.6.3.10.1.1.3 0x6a54643582b22e968088bf569181292a6d166a7a
.1.3.6.1.6.3.10.1.2.4 0xbae320f7db964cdc9fa9b82589b2cde8 ""
-----------------------------
1. User: sukaturi
Type : authpriv
my_password -x AES -X my_passwordx localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (55730) 0:09:17.30
I've created snmpv3 user with auth and priv but when i tried to do
snmpget with authnopriv, it is accepting and giving results as follows,
but it generally need to throw a error like unsupported security level.
2. User: sukaturi
Type:authnopriv
my_password localhost sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57122) 0:09:31.22
This is existing with netsnmp versions of 5.7.2 and 5.7.3.
does anybody know filed a bug for it?. I've searched in netsnmp.org
haven't find bug related to it.
Can you guys please mention patch for it if bug is already filed for it.
Please can you guys mention the bug name for it.
The documentation for the "rwuser" configuration option says that this is
the behavior that it configures, so I would not call this a bug. If you
want to force privacy, try "rwuser sukaturi priv".
Bill
--
Thanks & Regards,
suhasini katuri
Loading...