search

netdisco / snmp-info

Other
35 stars 31 forks source link

snmpv3 doc updates #515

Open inphobia opened 2 months ago

inphobia commented 2 months ago

todo

examples and references

  1. current example seems to be based on net-snmp 5.7.2, not 5.9. https://github.com/netdisco/snmp-info/blob/b0144cccc0080ff5f3d24f262b11c5d402d79c7e/lib/SNMP/Info.pm#L74-L77 go through code & wiki to check.

  2. try and find a portable way to figure out what's supported, or some other uniform way to check. net-snmp cli tools seem to contradict:

snmpcmd -H seems to be a hardcoded reply. 5.9.4.pre2 says it does:

(MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)
(DES|AES|AES-192|AES-256)

man snmpcmd doesn't mention several aes versions

-x privProtocol
              Set  the privacy protocol (DES or AES) used for encrypted SNMPv3 messages.

compile options rule out des & md5:

net-snmp-config --configure-options
    '--enable-blumenthal-aes' '--disable-des' '--disable-md5'

try and find a portable way to figure out what's supported, or some other uniform way to check.

  1. while at it also document cisco specific options

since there is little mention of this (aes192c & aes256c)

https://github.com/net-snmp/net-snmp/blob/75f2aedd88ff0d42a99bd2e29aed749012334bad/snmplib/snmpusm.c#L198-L202

https://github.com/netdisco/netdisco/issues/962#issuecomment-1379001329

  1. at least with netdisco-do can't find the net-snmp version that's being used: 
    
netdisco-do  show -d 10.40.254.51 -e name -DIISSS >versi 2>&1

snmpget -V NET-SNMP version: 5.9.4.pre2

% grep -i pre2 versi % grep -i 5.9.4 versi

-> nada


5. examples like:

  * client does not support your auth proto

snmpbulkwalk -v 3 -x AES -X SNMPV3priv -a MD5 -A SNMPV3auth -u rouser -l authPriv 1.1.1.1 Invalid authentication protocol specified after -3a flag: MD5

  * incorrect username

snmpwalk -v 3 -x AES -X SNMPV3priv -a SHA -A SNMPV3auth -u baduser -l authPriv 1.1.1.1 snmpwalk: Unknown user name

  * incorrect privacy or authentication key

snmpwalk -v 3 -x AES -X SNMPV3priv -a SHA -A SNMPV3type -u rouser -l authPriv 1.1.1.1 snmpwalk: Authentication failure (incorrect password, community or key)


  * something with engineid?
  * minimum & maximum lengst for auth/priv keys (protocol dependand)
  * snmp context example?

6. **done**

* https://github.com/netdisco/netdisco/wiki/Vendor-Tips#snmpv3-on-cisco-with-non-standard-priv-algorithms
* https://github.com/netdisco/netdisco/wiki/Configuration#device_auth

~~https://github.com/netdisco/netdisco/wiki/Vendor-Tips#snmpv3-support-on-cisco-ios~~
ollyg commented 2 months ago

There's also my Alien::SNMP dist which should bring in the latest net-snmp with all crypto enabled.

It could be an optional or default install.

I think the reason I've not done that so far is that it'll override the installed net-snmp and it's also a pig to uninstall.

inphobia commented 2 months ago

There's also my Alien::SNMP dist which should bring in the latest net-snmp with all crypto enabled.

true dat, was pondering to mention this but decided to let it be for now since trying to document what we support already got way bigger as i estimated. i'll leave documenting how to get Alien::SNMP compiled, how to run netdisco with a different LD_LIBRARY path and keeping it to date to someone else :)

the need for using alien::snmp is also both ways, for newer and older algorithms. opensuse tumbleweed no longer has md5 & des support compiled in. not saying using those is a good idea, but most design choices in snmp::info have been made to support as many devices as possible. an bundled net-snmp might become a requirement and/or an update/security nightmare. perhaps one to put on the wishlist :)