F.2. Configuring SNMPv3
Now we get to put the SNMPv3 concepts to use. We'll look at two examples: configuring a Cisco router and setting up the Net-SNMP tools on a system running Unix. The concepts are the same for both entities; the only difference is how you configure SNMPv3. Most of the work in administering SNMPv3 has to do with managing users and their passwords. It shouldn't be surprising that the table of users, passwords, and other authentication information is just another SNMP table, called usmUser. The table's full object ID is .iso.org.dod.internet.snmpV2.snmpModules.snmpUsmMIB.usmMIBObjects usmUser ; the numeric form is .1.3.6.1.6.3.15.1.2.F.2.1. Configuring SNMPv3 for a Cisco Router
Chapter 7, "Configuring SNMP Agents" describes how to configure SNMP on a Cisco router. This section assumes that you're already familiar with IOS and that we don't have to tell you the basics, such as how to log into the router and get to privileged mode. It also assumes that you've read Chapter 7, "Configuring SNMP Agents" and have configured basic SNMP on your router. The first task in configuring SNMPv3 is to define a view. To simplify things, we'll create a view that allows access to the entire internet subtree:This command creates a view called readview. If you want to limit the view to the system tree, for example, replace internet with system. The included keyword states that the specified tree should be included in the view; use excluded if you wanted to exclude a certain subtree. Next, create a group that uses the new view. The following command creates a group called readonly ; v3 means that SNMPv3 should be used. The auth keyword specifies that the entity should authenticate packets without encrypting them; read readview says that the view named readview should be used whenever members of the readonly group access the router.router(config)#snmp-server view readview internet included
Now let's create a user. The following command creates a user called kschmidt, who belongs to the readonly group. auth md5 specifies that the router should use MD5 to authenticate the user (the other possibility is sha). The final item on the command line is the user's password or passphrase, which may not exceed 64 characters.router(config)#snmp-server group readonly v3 auth read readview
This configuration uses encryption only to prevent passwords from being transferred in the clear. The SNMP packets themselves, which may contain information that you don't want available to the public, are sent without encryption and can therefore be read by anyone who has a packet sniffer and access to your network. If you want to go a step further and encrypt the packets themselves, use a command like this:router(config)#snmp-server user kschmidt readonly v3 auth md5 mysecretpass
The additional keywords on this command specify privacy (i.e., encryption for all SNMP packets), use of DES 56-bit encryption, and a passphrase to use when encrypting packets. The encrypted passwords and passphrases depend on the engine ID, so if the engine ID changes you'll need to delete any users you have defined (with the familiar IOS no command), and recreate them (with snmp-server user commands). Why would the engine ID change? It's possible to set the engine ID on the IOS command line. You shouldn't ever need to set the engine ID explicitly, but if you do, you'll have to delete and recreate your users. This has been the briefest of introductions to configuring SNMPv3 on a Cisco router. For more information see Cisco's documentation, which is available at http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/snmp3.htm.router(config)#snmp-server user kschmidt readonly v3 auth md5 mysecretpass \ priv des56 passphrase
F.2.2. Configuring SNMPv3 for Net-SNMP
Chapter 7, "Configuring SNMP Agents" describes basic configuration for Net-SNMP. In this section, we discuss how to configure Net-SNMP's Version 3 features. First, we will discuss how to configure SNMPv3 by editing the snmpd.conf [82] files. Note that you must install OpenSSL before editing the files if you want to use either DES or SHA. OpenSSL is available from http://www.openssl.org.[82]There are two snmpd.conf files in play here: the normal /usr/share/snmp/snmpd.conf file and the persistent /var/ucd-snmp/snmpd.conf file. The persistent file will be discussed momentarily.To create a user named kschmidt who has read-write access to the system subtree, add the following line to your snmpd.conf file:
To create a user with read-only access, use the command rouser instead of rwuser. The auth keyword requests secure authentication, but not privacy: the SNMP packets themselves aren't encrypted. The other possibilities are noauth (no authentication and no privacy) and priv (authentication and privacy). Now add the following line to /var/ucd-snmp/snmpd.conf:rwuser kschmidt auth system
This creates an MD5 password for the user kschmidt. The password assigned to kschmidt is mysecretpass. To create a user with a DES passphrase in addition to an MD5 password, add the following line to /var/ucd-snmp/snmpd.conf:createUser kschmidt MD5 mysecretpass
If you omit mypassphrase, Net-SNMP sets the DES passphrase to be the same as the MD5 password. The RFCs for SNMPv3 recommend that passwords and passphrases be at least eight characters long; Net-SNMP enforces this recommendation and won't accept shorter passwords. After making these changes, stop and restart the agent. When the agent is started, it reads the configuration file, computes secret keys for the users you have added, and deletes the createUser commands from the file. It then places the secret key in the configuration file. This behavior has a number of consequences. The secret key is based on the engine ID, which for Net-SNMP is based on the IP address. Therefore, you can't copy configuration files from one machine to another. Furthermore, if you change a machine's IP address, you will have to reconfigure Net-SNMP: stop the agent, edit /var/ucd-snmp/snmpd.conf, delete any entries Net-SNMP has added for your users, add createUser commands to recreate your users, and start the agent again. Now we can perform an snmpwalk using Version 3 authentication. The following command specifies Version 3, with the username kschmidt, requesting authentication without privacy using the MD5 algorithm. The password is mysecretpass:createUser kschmidt MD5 mysecretpass DES mypassphrase
Note that we see only objects from the system subtree, even though the command tries to walk the entire tree. This limitation occurs because we have given kschmidt access only to the system subtree. If kschmidt tries to query a subtree he is not allowed to access, he gets the following result:$ snmpwalk -v 3 -u kschmidt -l authNoPriv -a MD5 -A mysecretpass \ server.ora.com system.sysDescr.0 = Linux server 2.2.14-VA.2.1 #1 Mon Jul 31 21:58:22 PDT 2000 i686 system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.linux system.sysUpTime.0 = Timeticks: (1360) 0:00:13.60 system.sysContact.0 = "Ora Network Admin" system.sysName.0 = server system.sysLocation.0 = "Atlanta, Ga" system.sysServices.0 = 0 system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00 system.sysORTable.sysOREntry.sysORID.1 = OID: ifMIB ... system.sysORTable.sysOREntry.sysORUpTime.9 = No more variables left in this MIB View
If you want privacy in addition to authentication, use a command like this:$ snmpwalk -v 3 -u kschmidt -l authNoPriv -a MD5 -A mysecretpass \ server.ora.com interfaces interfaces = No more variables left in this MIB View
Remember that to use DES privacy, you must install the OpenSSL library.$ snmpwalk -v 3 -u kschmidt -l authPriv -a MD5 -A mysecretpass -x DES -X \ mypassphrase server.ora.com
F.2.2.1. Using snmpusm to manage users
The Net-SNMP utility snmpusm is used to maintain SNMPv3 users. The following command creates the user kjs by cloning the kschmidt user:Since kjs was cloned from kschmidt, the two users now have the same authorization, password, and passphrase. It's obviously essential to change kjs 's password. To do so, use snmpusm with the -Ca option. Similarly, to change the privacy passphrase, use -Cx. The following two commands change the password and passphrase for the new user kjs:$ snmpusm -v 3 -u kschmidt -l authNoPriv -a MD5 -A mysecretpass localhost create \ kjs kschmidt
There are many things to note about this seemingly simple operation:$ snmpusm -v3 -l authNoPriv -u kjs -a MD5 -A mysecretpass localhost passwd \ -Co -Ca mysecretpass mynewpass $ snmpusm -v3 -l authPriv -u kjs -a MD5 -A mysecretpass localhost passwd \ -Co -Cx mypassphrase mynewphrase
- You must know both the password and passphrase for kschmidt to set up a new password and passphrase for kjs.
- According to the documentation, Net-SNMP allows you to clone any given user only once. It's not clear whether this means that you can create only one clone of a user or that once you have created a clone, you can't create a clone of that clone. In any case, this restriction doesn't appear to be enforced.
- snmpusm can only clone users; it can't create them from scratch. Therefore, you must create the initial user by hand, using the process described above. (This isn't quite true. snmpusm can create a user, but once you've done so you have to assign it a password by changing its previous password. So you're in a catch-22: the new user doesn't have a password, so you can't change its password.)
usmUser 1 3 0x800007e580e134af77b9d8023b 0x6b6a7300 0x6b6a7300 NULL .1.3.6.1.6.3.10.1.1.2 0xb84cc525635a155b6eb5fbe0e3597873 .1.3.6.1.6.3.10.1.2.2 0x1cfd8d3cadd95abce8efff7962002e24 ""
F.2.2.2. Simplifying commands by setting defaults
At this point you may be wondering why anyone would use SNMPv3, because the commands are so painfully long and complex that it's practically impossible to type them correctly. Fortunately, there's a way around this problem. Net-SNMP allows you to set configuration variables that the commands pick up when they execute. Create a directory in your home directory called .snmp, then edit the snmp.conf file. Add entries that look like this:The fields in this file are:defSecurityName kschmidt defAuthType MD5 defSecurityLevel authPriv defAuthPassphrase mysecretpass defPrivType DES defPrivPassphrase mypassphrase defVersion 3
- defSecurityName
- The SNMPv3 username.
- defSecurityLevel
- The security level for the user. Valid levels are noAuthNoPriv, authNoPriv, and authPriv.
- defPrivPassphrase
- Your privacy passphrase; not needed if the security level is noAuthNoPriv or authNoPriv. Must be at least eight characters long.
- defVersion
- The SNMP version to use (in this case, SNMPv3).
becomes:$ snmpwalk -v3 -u kschmidt -l authPriv -a MD5 -A mysecretpass -x DES -X \ mypassphrase localhost
These defaults apply to all Net-SNMP commands, including snmpusm.$ snmpwalk localhost
F.2.2.3. Sending SNMPv3 traps with Net-SNMP
Sending an SNMPv3 trap with Net-SNMP is easy.[83] Simply run snmptrap with the normal SNMPv2 trap options combined with SNMPv3 options. For example:[83]SNMPv3 traps are simply SNMPv2 traps with added authentication and privacy capabilities.
Setting the appropriate configuration options in ~/.snmp/snmp.conf greatly reduces the complexity of the command:$ snmptrap -v3 -l authPriv -u kjs -a MD5 -A mysecretpass -x DES -X mypassphrase \ localhost '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 2 ifAdminStatus i 1 ifOperStatus i 1
$ snmptrap localhost '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 2 ifAdminStatus i 1 \ ifOperStatus i 1
 |  |  |
| F. SNMPv3 |  | F.3. Final Words on SNMPv3 |
Copyright © 2002 O'Reilly & Associates. All rights reserved.