« A Roller Derby Fanboy Post | Main | Twitteriffic 5 »

Another companion piece

I should thank Charles for some of his SNMP posts, they prod me to do more with the subject.

His latest one is again, solid, and you should read it, it can make enabling and configuring SNMP much easier.

However, he leaves off configuring SNMPv3, which is a shame, because that's a much more secure way to use SNMP, and understandable, because it's a bit TOO obscure at times. However, it is a pretty easy setup, although you have to run it on the target machine. The configuration itself can be one line:

sudo net-snmp-config --create-snmpv3-user -a authpass -x privpass -X DES|AES -A MD5|SHA username

where:

authpass is the authentication passphrase
privpass is the encryption passphrase
-X is the encryption mechanism
-A is the auth mechanism

A caveat: SNMP implementations tend to be ignored once coded. So, if all your devices are set to only support MD5, and you want to use SHA, well, you may be more secure, but you won't be able to use SNMPv3 with that device. Sometimes, you may have to use the less-secure, better-supported option. (Then of course, make sure your vendor knows why this is a bad thing.)

Now, implementing this as a script is easy, but insecure, as you're embedding passphrases. There is an interactive option, just don't include the passphrases in the command. You can still specify the auth and encryption mechanisms. But then you give up automated setup, but I leave it to readers to decide what is "right" for them.

What I recommend doing is first pushing out the snmpd.conf file, then configuring SNMPv3, as it adds an entry to the snmpd.conf file to enable SNMPv3 support. Also, snmpd can't be running when you configure SNMPv3, or the command will fail.

Finally, in recent versions of the Mac OS, there's also a /etc/snmp/ directory that snmpd can use for config files. I still go with the traditional /usr/share/snmp location myself, for better cross-platform compliance, but, if you're only on (Mac) OS X, you can use /etc/snmp instead.

Categories: Network Notes

Posted by John C. Welch at 13:00 | Permalink

Comments

Warning for Notes users: The commenting system uses HTML.
I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar characters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.

I should thank Charles for some of his SNMP posts, they prod me to do more with the subject.\n\nHis latest one is again, solid, and you should read it, it can make enabling and configuring SNMP much easier.\n\nHowever, he leaves off configuring SNMPv3, which is a shame, because that's a much more secure way to use SNMP, and understandable, because it's a bit TOO obscure at times. However, it is a pretty easy setup, although you have to run it on the target machine. The configuration itself can be one line:\n\nsudo net-snmp-config --create-snmpv3-user -a authpass -x privpass -X DES|AES -A MD5|SHA username\n\nwhere:\n\n

authpass is the authentication passphrase
privpass is the encryption passphrase
-X is the encryption mechanism
-A is the auth mechanism

\n\nA caveat: SNMP implementations tend to be ignored once coded. So, if all your devices are set to only support MD5, and you want to use SHA, well, you may be more secure, but you won't be able to use SNMPv3 with that device. Sometimes, you may have to use the less-secure, better-supported option. (Then of course, make sure your vendor knows why this is a bad thing.)\n\nNow, implementing this as a script is easy, but insecure, as you're embedding passphrases. There is an interactive option, just don't include the passphrases in the command. You can still specify the auth and encryption mechanisms. But then you give up automated setup, but I leave it to readers to decide what is \"right\" for them. \n\nWhat I recommend doing is first pushing out the snmpd.conf file, then configuring SNMPv3, as it adds an entry to the snmpd.conf file to enable SNMPv3 support. Also, snmpd can't be running when you configure SNMPv3, or the command will fail.\n\nFinally, in recent versions of the Mac OS, there's also a /etc/snmp/ directory that snmpd can use for config files. I still go with the traditional /usr/share/snmp location myself, for better cross-platform compliance, but, if you're only on (Mac) OS X, you can use /etc/snmp instead.