Page MenuHomePhabricator

SNMP v3 support broken
Closed, ResolvedPublicBUG

Description

During rewrite and reverse-engineering the SNMPv3 stuff (T652) I stumbled upon an easy configuration which actually does not do anything.

user is test
password testest

# show service snmp
 listen-address 172.16.37.241 {
     port 666
 }
 v3 {
     engineid 0xff42
     user test {
         auth {
             encrypted-key 0xde1a05c0a80b2804f4c8e658713ee73f1f3b69e4
             type sha
         }
         engineid 0xff42
         mode rw
     }
 }
# commit
[ service snmp ]
Use of uninitialized value $priv_type in uc at /opt/vyatta/sbin/vyatta-snmp-v3.pl line 266.

The resulting /etc/snmp/snmpd.conf looks like

# autogenerated by vyatta-snmp.pl on Mon May 21 16:47:36 2018
sysDescr VyOS 1.2.0-rolling+201805210337
sysObjectID 1.3.6.1.4.1.44641
sysServices 14
master agentx
agentaddress unix:/run/snmpd.socket,udp:172.16.37.241:666
agentXPerms 0755 0755
pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias
smuxpeer .1.3.6.1.4.1.3317.1.2.2
smuxpeer .1.3.6.1.4.1.3317.1.2.5
smuxpeer .1.3.6.1.4.1.3317.1.2.3
smuxpeer .1.3.6.1.4.1.3317.1.2.9
smuxpeer .1.3.6.1.2.1.83
smuxpeer .1.3.6.1.4.1.3317.1.2.8
smuxpeer .1.3.6.1.2.1.157
smuxsocket localhost
iquerySecName vyatta6ce459e085337fb9
notificationEvent  linkUpTrap    linkUp   ifIndex ifDescr ifType ifAdminStatus ifOperStatus
notificationEvent  linkDownTrap  linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus
monitor  -r 10 -e linkUpTrap   "Generate linkUp" ifOperStatus != 2
monitor  -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
# views

#access
#             context sec.model sec.level match  read    write  notif

#trap-target

#group

and has no SNMPv3 stuff in it ...

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201805210337
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.May 21 2018, 4:55 PM
c-po updated the task description. (Show Details)
c-po added a comment.May 21 2018, 5:04 PM

Even after changing the configuration to

snmp {
    listen-address 172.16.37.241 {
    }
    v3 {
        engineid 0xff42
        user test {
            auth {
                encrypted-key 0x63119b4e19ce4d69c7ad678ffe110047
                type sha
            }
            engineid 0xff42
            mode rw
            privacy {
                encrypted-key 0x63119b4e19ce4d69c7ad678ffe110047
                type aes
            }
        }
    }
}

and not getting commit errors, the configuration file for the snmpd service is as empty as posted above.

Line2 added a subscriber: Line2.May 22 2018, 7:01 AM

I have running VyOS-1.2.0-rolling+201805210337 with working SNMPv3.

Config like this:

snmp {
    contact "xyz"
    description xyz
    location "xyz"
    trap-target 10.0.0.1 {
    }
    v3 {
        engineid 0x80001f9980f286be17f8313c5800000000
        group nmsreadonly {
            mode ro
            seclevel priv
            view all
        }
        user nms {
            auth {
                encrypted-key ****************
                type sha
            }
            engineid 0x80001f9980f286be17f8313c5800000000
            group nmsreadonly
            mode ro
            privacy {
                encrypted-key ****************
                type aes
            }
        }
        view all {
            oid 1 {
            }
        }
    }
}

and /etc/snmp/snmpd.conf looks like this:

# autogenerated by vyatta-snmp.pl on Mon May 21 11:01:13 2018
sysDescr VyOS 1.2.0-rolling+201805210337
sysObjectID 1.3.6.1.4.1.44641
sysServices 14
master agentx
agentaddress unix:/run/snmpd.socket,udp:161,udp6:161
agentXPerms 0755 0755
pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias
smuxpeer .1.3.6.1.4.1.3317.1.2.2
smuxpeer .1.3.6.1.4.1.3317.1.2.5
smuxpeer .1.3.6.1.4.1.3317.1.2.3
smuxpeer .1.3.6.1.4.1.3317.1.2.9
smuxpeer .1.3.6.1.2.1.83
smuxpeer .1.3.6.1.4.1.3317.1.2.8
smuxpeer .1.3.6.1.2.1.157
smuxsocket localhost
SysContact xyz
SysDescr xyz
SysLocation xyz
iquerySecName vyatta4a16e141279bdf50
notificationEvent  linkUpTrap    linkUp   ifIndex ifDescr ifType ifAdminStatus ifOperStatus
notificationEvent  linkDownTrap  linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus
monitor  -r 10 -e linkUpTrap   "Generate linkUp" ifOperStatus != 2
monitor  -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
trap2sink 10.0.0.1
# views
view all included .1

#access
#             context sec.model sec.level match  read    write  notif
access nmsreadonly "" usm priv exact all none none
access nmsreadonly "" tsm priv exact all none none

#trap-target

#group
group nmsreadonly usm nms
group nmsreadonly tsm nms

Maybe you missed the group configuration?

c-po added a comment.May 22 2018, 8:41 AM

Ah, there it is! Thanks!

c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.May 22 2018, 4:52 PM

looks like a missing check on commit. Will add this case to the new Python script.

syncer triaged this task as Normal priority.May 27 2018, 9:38 AM
c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.May 29 2018, 6:57 AM
syncer closed this task as Resolved.May 29 2018, 9:29 AM
syncer claimed this task.