This works on Debian (and presumably Ubuntu). YMMV for other distros.
Start off with the following configuration in /etc/snmp/snmpd.conf
# create user 'initial' with auth pass 'setuppass'. This is used for the initial setup, then removed.Once this is done, restart snmpd and you should be able to test connectivity by walking the OID tree
createUser initial MD5 setupauth DES setuppriv
# add 'initial' to group 'MyRWGroup' using the USM security model.
group MyRWGroup usm initial
# create a view 'viewall' that includes the entire OID tree.
view viewall included .1
# tie it all together. allow read and write access to view 'viewall' by users in group 'MyRWGroup'
access MyRWGroup "" usm authNoPriv exact viewall viewall none
snmpwalk -v3 -l authNoPriv -u initial -A setupauth localhost .Assuming all is well so far, remove the 'createUser' line from the configuration file and restart snmpd. This prevents snmpd from recreating the 'initial' user every time is starts. You can now use the snmpusm command to create a new user 'cacti'
snmpusm -v3 -l authNoPriv -u initial -A setupauth localhost create cacti initialNow use snmpvacm to create a group 'MyROGroup' and 'cacti'. Then create a new view 'allseeing' that can see the entire tree (this is actually the same as what is in the configuration file). Finally, create an access entry allowing 'MyROGroup' group members using USM (3) to connect via authNoPriv (2) using an exact context match (1). The 'allseeing' view is specified for reads, and 'none' is specified for writes and notifies.
snmpvacm -v3 -l authNoPriv -u initial -A setupauth localhost createSec2Group 3 cacti MyROGroupAt this point you should be able to walk as cacti
snmpvacm -v3 -l authNoPriv -u initial -A setupauth localhost createView allseeing .1 80
snmpvacm -v3 -l authNoPriv -u initial -A setupauth localhost createAccess MyROGroup 3 2 1 allseeing none none
snmpwalk -v3 -l authNoPriv -u cacti -A setupauth localhost .You can also change cacti's Authentication password, but not as cacti. The reason for this is that 'cacti' currently only has read access to the tree. The initial user currently has the necessary write access to the tree. The Privacy password is also changed
snmpusm -v3 -l authNoPriv -u cacti -A setupauth localhost passwd -Ca setupauth authpassNow we want to get rid of the 'initial' user. Before we can delete him we should create an administrative user that can make changes to the tree.
Error in packet.
Reason: noAccess
snmpusm -v3 -l authNoPriv -u initial -A setupauth localhost passwd -Ca setupauth authpass cacti
SNMPv3 Key(s) successfully changed.
snmpusm -v3 -l authNoPriv -u initial -x DES -A setupauth localhost passwd -Cx setupauth privpass cacti
SNMPv3 Key(s) successfully changed.
snmpusm -v3 -l authNoPriv -u initial -x DES -A setupauth localhost create admin initialSome Notes
snmpusm -v3 -l authNoPriv -u initial -x DES -A setupauth localhost passwd setupauth secretpass admin
snmpvacm -v3 -l authNoPriv -u initial -A setupauth localhost createSec2Group 3 admin rwgrp
snmpvacm -v3 -l authNoPriv -u initial -A setupauth localhost createAccess rwgrp 3 2 1 allseeing allseeing none
snmpusm -v3 -l authNoPriv -u admin -a MD5 -n "" -A secretpass localhost delete initial
* When I tried creating access for rwgrp with 'priv' permissions I got timeouts (Timeout: No Response from localhost) from the daemon when trying to operate as admin. Not sure why, and the Internet was completely unhelpful in figuring out why.
* Once the above setup is complete, you can remove all of the initial configuration from the snmpd.conf file and restart the daemon. All the use information is stored in /var/lib/snmp/snmpd.conf, leaving a clean-looking /etc/snmp/snmpd.conf file.
* This is probably not the most secure implementation ever, you may want to do some more research and lock down the agent further.
Useful Resources
snmpvacm man page
snmpusm man page
No comments:
Post a Comment