search

lausser / GLPlugin

Perl modules providing the basis for my Naemon plugins
15 stars 28 forks source link

Support of newer SNMP authentication protocols (such as SHA-256, SHA-512 and others) #31

Closed Napsty closed 2 years ago

Napsty commented 2 years ago

Hi Gerhard

Not sure if this is the right repo for the issue, but I assume the SNMP connection and session from check_nwc_health are created in the GLPlugin.

Right now the check_nwc_health plugin (and therefore other plugins which rely on GLPlugin for SNMP connections) does not work with newer SNMP authentication protocols used in SNMPv3. Here's an example with SHA-256:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname 192.168.44.44 --protocol 3 --username nagios --authpassword secret --authprotocol SHA-256 --mode hardware-health -vvvvvvvvvvvvvvvvvvv       
Fri Jan 14 11:42:03 2022: $VAR1 = {
  '-domain' => 'udp',
  '-port' => 161,
  '-translate' => [
    '-all',
    0,
    '-nosuchobject',
    1,
    '-nosuchinstance',
    1,
    '-endofmibview',
    1,
    '-unsigned',
    1
  ],
  '-authprotocol' => 'SHA-256',
  '-username' => 'nagios',
  '-authpassword' => 'secret',
  '-hostname' => '192.168.44.44',
  '-timeout' => 13,
  '-version' => '3'
};

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Monitoring::GLPlugin::Commandline::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::nagios_exit

CRITICAL - cannot create session object: The authProtocol "SHA-256" is unknown

It works however when using the net-snmp cli commands, here snmpwalk:

$ snmpwalk -v 3 -l authNoPriv -u nagios -a SHA-256 -A secret 194.40.231.5 1.3.6 |more
iso.3.6.1.2.1.1.1.0 = STRING: "Linux u020sys0 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"

I tried to find the dependency module in the code, I suspected Net::SNMP, but was unable to find it. Net::SNMP would make sense that SHA-256 doesn't work: The current version on CPAN (https://metacpan.org/pod/Net::SNMP) 6.0.1 is from 2010 (!!) and only supports SHA (SHA1) and MD5 as authentication protocols. Maybe you implemented your own SNMP client into GLPlugin, but in the (short) research time I could not find it.

Hence the feature request: Would it be possible to add the newer SHA-256 and SHA-512 (and maybe all the auth protocols listed on http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption)?

Thank you in advance.

lausser commented 2 years ago

Here is a patch for the USM.pm file in Net::SNMP https://github.com/openbsd/ports/blob/master/net/p5-Net-SNMP/patches/patch-lib_Net_SNMP_Security_USM_pm Apply it and you can use sha256 and sha512.