First time SNMPv3 ... ProCurve Switch 2650 as example

I'm fairly new to network stuff and thus network management, so snmp too ... is fairly new to me, not to mention snmpv3 :) ...

After some digging around and efforts to understand what snmp is ... it turns out that snmp (v2) was simply a list of variables that can be read by supplying a password (that password is called public community name), and also read and write by supplying a password too (this one is called private community name) ...

It was clear that snmp version 1 and 2 had serious security issues. so when i found this HP ProCurve Switch 2650 that supports snmpv3, i decided to play around with it!

The game was not as straight forward as i thought! it was not only security enhancements that snmpv3 introduced, but rather a more complex and robust authorization and permissions system.

So, lets start with describing the hands on with this switch, i telnet to the switch , i enter it without a password, i switch to enabled mode and i set the password for operator and manager (enabled).

Now, i enabled SNMPv3 by doing :

ProCurve Switch 2650(config)# snmpv3 enable

and the switch created a user called "initial" and used authentication protocol MD5 and asked for authentication password. it set the privacy protocol to DES and asked for privacy password (ill talk a little more about those in a minute). afterwards i was asked if i want to create a user with SHA authentication protocol, i chose not to.

Now from the Linux shell, i used snmpwalk to test my settings, following snmp v2 syntax, i tried:

snmpwalk -v 3 -c MyCommunityName 192.168.254.1 sysUptime

and i got:

snmpwalk: No securityName specified (Sub-id not found: (top) -> sysUptime)

So fiddling a little more around, i would need to the user name (securityName), i found that in the snmpcmd manual pages, so next i tried was this:

snmpwalk -v 3 -u initial -c MyCommunityName 192.168.254.1 sysUptime

and i got:

Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTime

So the authorization is the problem, looking for password to send got me to the -A option, also from the snmpcmd man pages, which is used to pass the authPassword, and the man page says its insecure to specify pass phrase on the command line, but i'll leave it for now, so i try:

snmpwalk -v 3 -u initial -A password123 -c MyCommunityName 192.168.254.1 sysUptime

but i still got the error:
Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTime


Now i was a little frustrated, this looked as enough to get things to work! and i couldn't see why it wasn't! so fiddling more around and googling for examples of snmpwalk -v 3 syntax i got one that got things going! and here it is:
snmpwalk -v 3 -u initial -A password123 -l AuthNoPriv -c MyCommunityName 192.168.254.1 sysUptime

So what is the stroy with this -l AuthNoPriv ? again, the man pages came to rescue, according to the man pages:
-l secLevel
Set the securityLevel used for SNMPv3 messages (noAuthNoPriv|authNoPriv|authPriv). Appropriate pass
phrase(s) must provided when using any level higher than noAuthNoPriv. Overrides the defSecurityLevel
token in the snmp.conf file.


So it seems that this option tells the snmpv3 server that we are using the Auth password but not the privacy pass phrase, which reminds me with the 2 passwords i was asked for when creating the user "initial"! although i didn't understand why snmpwalk didn't guess that this is what i wanted by passing the authPass using the -A option :S. anyway, i was happy things worked for me ... for now!

So apparenly, the default security level would be (since i dont have snmp.conf file) (according to snmp.conf man page) noAuthNoPriv! which made me try and do the following:

snmpwalk -v 3 -u initial -A password123 -l AuthPriv -c MyCommunityName 192.168.254.1 sysUptime

and i got the error:
snmpwalk: USM generic error (Sub-id not found: (top) -> sysUptime)

The error was not really meaningful to me, but logically i had to supply the pricy pass phrase, again man snmpcmd came to rescue, and the option to supply the privacy pass phrase is -X, so now i try to do :

snmpwalk -v 3 -u initial -X password321 -A password123 -c MyCommunityName -l AuthPriv 192.168.254.1 sysUptime

And viola! it works :) And viola! i think i have a very good post about snmpv3 ! frankly i had hard time finding quick info about the errors i got in google, so if this info helped you, and you feel thankful, i would be thankful to you if you google a little about palestine, about the separation wall and the injustice its causing !

Oh! the private pass phrase is apparently used to secure communication, so its a good idea to use it !
That was it for today, and i think ill go crash into my pillow :) and apologies for the politics .

Windows for Linux Administrators I

I've never been a fan of M$ Windows, but lateley im forced to deal with Windows, So since im having a lot of trouble doing even simple things, i've decided to write a few notes i've learned that would help those who are familiar with linux to administrate windows machines, but you should also know that im not an expert in either systems, any any information provided here is my own interpretation of similarities between these two systems.

First, lets put a list of commands and their equivilent that i learned recently, i wont be talking about "dir" and "rem".

Starting with the ugly "cmd" of windows, we can see that we can use the command "set" to display environment variables, which is the same as what we have in Linux! nice! thats a good starting point. and and interesting example of how things might be a little diffrent, lets try to print the current directory, in linux we would simply type pwd, in windows, you'll do "echo %CD%", where %CD% is an environment variable that holds the "Current Directory".

Variables in windows are put between percentage signs , %VARNAME% and are not case sensetive.

Now the first thing i wanted to do was listing users i have and gather info about them, but in my case, the machine i have access to, via rdestop, is an Active Directory server, which i hope to be able to switch to SAMBA 4 when the later is ready ... so ... how do we do that in active directory?

the command to do so is called dsquery, it stands for "Directory Service Query" and is one tool from the "Directory Service" tools suite that comes with windows 2003, i dont know about older versions.

Now ill try to see how it works, so i look at :

dsquery /? | more

Looks unixish ... heh :), reading a little there i managed to list users (first 100) using the command:

dsquery user

and then i filtered out myself using the command find! an interesting tool that provides similar functionality to some unix tools. lets suppose my name was "Edward Saeed", i do :

dsquery user| find "Edward Saeed"

but note that you Have to use the quotes, and the string IS case sensitive ... inconsistency ... i belive ... but i could use /I to make it case insensitive!

So now we know that find "something" is similar to the "grep" command in unix!

reading find /? shows that find can also count lines! so find /C "something" is equivilent to "grep "something" | wc -l" . thats good to hear ... who can live without grep and wc :)

Thats it for today :), i'll be packing and hitting the road .

Maybe next time ill be trying to rewrite a few bash scripts in this windowish fashion.

;)

all printable ASCII characters in one c++ like string

Today i was looking for a string with all printable ASCII characters for usage in some C++ code, i could not find one quickly on google, so i though ill post it here :) I will probably need it sometime in the future ... here it goes :)

char fullset[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~";