After some digging around and efforts to understand what snmp is ... it turns out that snmp (v2) was simply a list of variables that can be read by supplying a password (that password is called public community name), and also read and write by supplying a password too (this one is called private community name) ...
It was clear that snmp version 1 and 2 had serious security issues. so when i found this HP ProCurve Switch 2650 that supports snmpv3, i decided to play around with it!
The game was not as straight forward as i thought! it was not only security enhancements that snmpv3 introduced, but rather a more complex and robust authorization and permissions system.
So, lets start with describing the hands on with this switch, i telnet to the switch , i enter it without a password, i switch to enabled mode and i set the password for operator and manager (enabled).
Now, i enabled SNMPv3 by doing :
ProCurve Switch 2650(config)# snmpv3 enableand the switch created a user called "initial" and used authentication protocol MD5 and asked for authentication password. it set the privacy protocol to DES and asked for privacy password (ill talk a little more about those in a minute). afterwards i was asked if i want to create a user with SHA authentication protocol, i chose not to.
Now from the Linux shell, i used snmpwalk to test my settings, following snmp v2 syntax, i tried:
snmpwalk -v 3 -c MyCommunityName 192.168.254.1 sysUptime and i got:
snmpwalk: No securityName specified (Sub-id not found: (top) -> sysUptime)So fiddling a little more around, i would need to the user name (securityName), i found that in the snmpcmd manual pages, so next i tried was this:
snmpwalk -v 3 -u initial -c MyCommunityName 192.168.254.1 sysUptime and i got:
Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTimeSo the authorization is the problem, looking for password to send got me to the -A option, also from the snmpcmd man pages, which is used to pass the authPassword, and the man page says its insecure to specify pass phrase on the command line, but i'll leave it for now, so i try:
snmpwalk -v 3 -u initial -A password123 -c MyCommunityName 192.168.254.1 sysUptimebut i still got the error:
Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTime
Now i was a little frustrated, this looked as enough to get things to work! and i couldn't see why it wasn't! so fiddling more around and googling for examples of snmpwalk -v 3 syntax i got one that got things going! and here it is:
snmpwalk -v 3 -u initial -A password123 -l AuthNoPriv -c MyCommunityName 192.168.254.1 sysUptimeSo what is the stroy with this -l AuthNoPriv ? again, the man pages came to rescue, according to the man pages:
-l secLevel
Set the securityLevel used for SNMPv3 messages (noAuthNoPriv|authNoPriv|authPriv). Appropriate pass
phrase(s) must provided when using any level higher than noAuthNoPriv. Overrides the defSecurityLevel
token in the snmp.conf file.
So it seems that this option tells the snmpv3 server that we are using the Auth password but not the privacy pass phrase, which reminds me with the 2 passwords i was asked for when creating the user "initial"! although i didn't understand why snmpwalk didn't guess that this is what i wanted by passing the authPass using the -A option :S. anyway, i was happy things worked for me ... for now!
So apparenly, the default security level would be (since i dont have snmp.conf file) (according to snmp.conf man page) noAuthNoPriv! which made me try and do the following:
snmpwalk -v 3 -u initial -A password123 -l AuthPriv -c MyCommunityName 192.168.254.1 sysUptime and i got the error:
snmpwalk: USM generic error (Sub-id not found: (top) -> sysUptime) The error was not really meaningful to me, but logically i had to supply the pricy pass phrase, again man snmpcmd came to rescue, and the option to supply the privacy pass phrase is -X, so now i try to do :
snmpwalk -v 3 -u initial -X password321 -A password123 -c MyCommunityName -l AuthPriv 192.168.254.1 sysUptimeAnd viola! it works :) And viola! i think i have a very good post about snmpv3 ! frankly i had hard time finding quick info about the errors i got in google, so if this info helped you, and you feel thankful, i would be thankful to you if you google a little about palestine, about the separation wall and the injustice its causing !
Oh! the private pass phrase is apparently used to secure communication, so its a good idea to use it !
That was it for today, and i think ill go crash into my pillow :) and apologies for the politics .
8 comments:
SNMP is a pain in the ass to setup ... very poorly documented in the community, and v3 is a giant pain in the ass. It's all touch and go ... thanks for the post, didn't see the -X option in the snmp commands (though my setup still doesn't work fully) :p
Another minor thing to mention ... the -x option. AES is a gov't standard for encryption, so I thought I'd use that. Well, SNMPv3 automagically defaults to the weaker DES algorithm for encryption if you don't specify it with a -x.
So my final command ended up being:
"[user@host~]$ snmpwalk -X[passphrase] -xAES -lAuthPriv -v3 -u[username] -A[passphrase] -aSHA [hostname]"
Ugly but I finally got a response back. :D
I'll be publishing my findings on my own blog here when I get a chance.
Thanks for your comments! i appreciate you mentioning the -x option ! and i cant agree more, SNMP is a pain in the ass!
Thanx a lot for this article.
SNMPv3 is so simple, it's great :)
Excellent! Worked for me too.
Thanks very much for this HowTo! I experienced the same problems as you did. Unfortunately I did not get it working at the end of your tutorial.
Eventually I figured it out, my HP ProCurve 2910al Switches demand additionally the option -n ""
So the final command is:
snmpwalk -v 3 -n "" -u testuser -x aes -X 123456789 -a SHA -A abcdefghi -l AuthPriv 10.0.123.123 SysUptime
Thanks again!
Damian
This helped me. Thanks.
Post a Comment