For testing my own products I’m constantly looking for devices that support the snmp protocol. The majority of the equipment available supports SNMPv1 (which is the base SNMP implementation specified in rfc1157), fewer also support SNMPv2 (which adds the “GetBulk” and “Inform” operations) but almost none supports SNMPv3!
SNMPv3 is an important step forward with respect to improved security. SNMPv1 and 2 transport monitoring information (collected from agents running on a system) unencrypted, as readable text (when viewed with a tool like Wireshark) over the network. Of course not all this collected information is top-secret however there are times that you simply don’t want to share certain information with others. Especially when this information is transported over the Internet.
As mentioned before, I had a hard time finding equipment that supports SNMPv3. Fortunately I’m a big fan of the Linux OS and although I’m not the “kernel hacker type”, I can pretty well find my way around in this beautiful and flexible OS. Because the information on getting SNMPv3 up and running on Linux is somewhat fragmented on the Internet, I decided to write this simple howto. The info below describes the steps of getting SNMPv3 installed and ready for use on a clean installation of Ubuntu Lucid (10.04 LTS). Ubuntu uses the net-SNMP package. From my knowledge (not verified) this should work for all Ubuntu versions from 8.04 and up!
Step1. Installing SNMP (daemon and agent)
net-SNMP comes in two flavours; the server-side daemon (snmpd) and the client-site agent (snmp). To install both, simply logon into your server, open a terminal and enter the following on the commanline:
sudo apt-get install snmp snmpd
Step2. Get access to the daemon from the outside.
The default installation only provides access to the daemon for localhost. In order to get access from the outside open the file /etc/default/snmpd in your favorite editor (I use “joe”) with:
sudo joe /etc/default/snmpd
Modify the line starting with “SNMPDOPTS=” and remove the Localhost or 127.0.0.1 setting at the end of that line so that it reads:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid’
Step3. Define SNMPv3 users, authentication and encryption parameters.
SNMPv3 can be used in a number of ways depending on the “securityLevel” configuration parameter:
- noAuthNoPriv - No authorisation and no encryption, basically no security at all!
- authNoPriv - Authorisation is required but collected data sent over the network is not encrypted.
- authPriv - The strongest form. Authorisation required and everything sent over the network is encrypted.
The snmpd configuration settings are all saved in a file called /etc/snmp/snmpd.conf. Open this file in your editor as in:
sudo joe /etc/snmp/snmpd.conf
Add the following lines to the end of the file:
# createUser user1 createUser user2 MD5 user2password createUser user3 MD5 user3password DES user3encryption # rouser user1 noauth 1.3.6.1.2.1.1 rouser user2 auth 1.3.6.1.2.1 rwuser user3 priv 1.3.6.1.2.1
PS. If you decide to use your own username/password combinations please be aware that the password and encryption phrases should have a length of at least 8 characters!
Save your modified snmpd.conf file and restart the daemon with:
sudo /etc/init.d/snmpd restart
Step4. Testing the configuration with the installed net-SNMP client "snmpget"
In step1 we already installed the snmp client. In the examples below the first line is what I entered and the consecutive lines are the responses. Let's begin testing with user1 by entering:
paul@Uranium:~$ snmpget -v 3 -u user1 -l NoauthNoPriv localhost 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux Uranium 2.6.32-27-generic #49-Ubuntu SMP Thu Dec 2 00:51:09 UTC 2010 x86_64
Trying to access an OID outside 1.3.6.1.2.1.1 gives:
paul@Uranium:~$ snmpget -v 3 -u user1 -l NoauthNoPriv localhost 1.3.6.1.2.1.2.1.0
IF-MIB::ifNumber.0 = No Such Object available on this agent at this OID
The same with user2 gives:
paul@Uranium:~$ snmpget -v 3 -u user2 -l NoauthNoPriv localhost 1.3.6.1.2.1.1.1.0
Error in packet
Reason: authorizationError (access denied to that object)
Of course we added user2 with Authentication in mind so lets use it:
paul@Uranium:~$ snmpget -v 3 -u user2 -l authNoPriv -a MD5 -A user2password localhost 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux Uranium 2.6.32-27-generic #49-Ubuntu SMP Thu Dec 2 00:51:09 UTC 2010 x86_64
...and another test:
paul@Uranium:~$ snmpget -v 3 -u user2 -l authNoPriv -a MD5 -A user2password localhost 1.3.6.1.2.1.2.1.0
IF-MIB::ifNumber.0 = INTEGER: 4
Finally add some encryption:
paul@Uranium:~$ snmpget -v 3 -u user3 -l authPriv -a MD5 -A user3password -x DES -X user3encryption localhost .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux Uranium 2.6.32-27-generic #49-Ubuntu SMP Thu Dec 2 00:51:09 UTC 2010 x86_64
Step 5. Testing the configuration with my own components
The FineConnection components fully support all SNMPv3 security user-levels. Below is a screenshot of the demo program launching the FC_RTTable component for collecting the system table using SNMPv3 with authentication and encryption.
And the FC_RTTable xml config file....
<?xml version="1.0"?>
<rttable>
<programtitle>System table</programtitle>
<charttitle>This is the device's system table</charttitle>
<contpanvisible>true</contpanvisible>
<preferredinstance></preferredinstance>
<columnwidthtotextwidth>true</columnwidthtotextwidth>
<left></left>
<top></top>
<width></width>
<height></height>
<host>192.168.3.253</host>
<community>public</community>
<snmpport>161</snmpport>
<snmpversion>3</snmpversion>
<username>user3</username>
<authpw>user3password</authpw>
<authprot>MD5</authprot>
<encpw>user3encryption</encpw>
<encalg>DES</encalg>
<shooter>
<shootertargettable>
<shootertargetentry>
<oid>1.3.6.1.2.1.1</oid>
<instance></instance>
<visible>true</visible>
<formula></formula>
</shootertargetentry>
</shootertargettable>
</shooter>
<oidtable>
<oidentry>
<oid>1.3.6.1.2.1.1</oid>
<oiddescr>system</oiddescr>
<format></format>
</oidentry>
</oidtable>
</rttable>
Enjoy SNMPv3!
Paul van Bergen