Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNMPv3 with stronger protocols #2673

Closed
KoMa1978 opened this issue Mar 11, 2024 · 2 comments
Closed

SNMPv3 with stronger protocols #2673

KoMa1978 opened this issue Mar 11, 2024 · 2 comments
Labels
💡 enhancement-ideas New feature or change request
Milestone
3.75.6.20240316

Comments

@KoMa1978
Copy link

Describe the solution you'd like

SNMPv3 implementation should also support AES192/AES256 for privacy protocols and SHA224/SHA256/SHA284/SHA512 for authentication protocols. And it should be configurable via WebUI.

It would also be great if SNMP Location and Contact can be configured via WebUI

Describe alternatives you've considered

N/A

Is your feature request related to a problem?

NO

Additional information

According to http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption functionality is supported since v5.8 and RaspMatic is using 5.9.3.

Using net-snmp-create-v3-user already give options for the SHA algorithms, only AES192/AES256 is missing.

Maybe this one helps (it seems --enable-blumenthal-aes needs to be used for compiling):
https://sourceforge.net/p/net-snmp/mailman/message/36289830/
@KoMa1978 KoMa1978 added the 💡 enhancement-ideas New feature or change request label Mar 11, 2024
@jens-maus jens-maus added this to the next release milestone Mar 11, 2024
@KoMa1978
Copy link
Author

Hi @jens-maus ,

I just tested it and in general it works! Thanks a lot!

But ;-)

1.)
Can you think about adding configuration options (simple drop downs) to the WebUI to select Auth and Priv Protocol?

2.)
With the default files it is sometimes/somehow not working "out of the box":

vi /etc/config/snmp/snmpd-ccu3.conf:

#
# net-snmp (or ucd-snmp) persistent data file.
#
############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
#
#          **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
############################################################################
#
# DO NOT STORE CONFIGURATION ENTRIES HERE.
# Please save normal configuration tokens for snmpd in SNMPCONFPATH/snmpd.conf.
# Only "createUser" tokens should be placed here by snmpd administrators.
# (Did I mention: do not edit this file?)
#

createUser -e 0x80001f88801496a6130a2c1e5e testmon SHA-512 TESTMON1234 AES256 TESTMON1234
                                                                                         
usmUser 1 3 0x80001f88801496a6130a2c1e5e "operator" "operator" NULL .1.3.6.1.6.3.10.1.1.3 0x2bxxxxxx .1.3.6.1.6.3.10.1.2.4 0x2bxxxx ""
engineBoots 1                                                                                                                                                                                   
oldEngineID 0x80001f88801496a6130a2c1e5e                                                                                                                                                        
rouser operator 
rwuser testmon

This results sometimes in a missing oldEngineID directive in /var/lib/snmp/snmpd.conf.
(I added rwuser directive only for testing!) Therefore I suggest to change the command order in the above file (that helped in my case):

#
# net-snmp (or ucd-snmp) persistent data file.
#
############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
#
#          **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP
############################################################################
#
# DO NOT STORE CONFIGURATION ENTRIES HERE.
# Please save normal configuration tokens for snmpd in SNMPCONFPATH/snmpd.conf.
# Only "createUser" tokens should be placed here by snmpd administrators.
# (Did I mention: do not edit this file?)
#
engineBoots 1                                                                                                                                                                                   
oldEngineID 0x80001f88801496a6130a2c1e5e                                                                                                                                                        

createUser -e 0x80001f88801496a6130a2c1e5e testmon SHA-512 TESTMON1234 AES256 TESTMON1234
usmUser 1 3 0x80001f88801496a6130a2c1e5e "operator" "operator" NULL .1.3.6.1.6.3.10.1.1.3 0x2bxxxxxx .1.3.6.1.6.3.10.1.2.4 0x2bxxxx ""

rouser operator 
rwuser testmon

And for documentation, here are the protocol names (from createUser) with corresponding OIDs (for usmUser):
AES - .1.3.6.1.6.3.10.1.2.4 (the old one used in RaspberryMatic)
AES128 - .1.3.6.1.4.1.14832.1.2
AES192 - .1.3.6.1.4.1.14832.1.3
AES256 - .1.3.6.1.4.1.14832.1.4

SHA - .1.3.6.1.6.3.10.1.1.3 (the old one used in RaspberryMatic)
SHA-224 - .1.3.6.1.6.3.10.1.1.4
SHA-256 - .1.3.6.1.6.3.10.1.1.5
SHA-384 - .1.3.6.1.6.3.10.1.1.6
SHA-512 - .1.3.6.1.6.3.10.1.1.7

References:
https://oidref.com/1.3.6.1.6.3.10.1.1
https://oidref.com/1.3.6.1.6.3.10.1.2
https://oidref.com/1.3.6.1.4.1.14832.1

Thanks a lot,
Marco

@jens-maus
Copy link
Owner

I just tested it and in general it works! Thanks a lot!

But ;-)

Sorry, wrong place for discussions here. Please ask in the discussion part of the repository and not in the old and already closed ticket/issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💡 enhancement-ideas New feature or change request
Projects
None yet
Milestone
3.75.6.20240316
Development

No branches or pull requests
2 participants
@jens-maus @KoMa1978