However, there’s one more step. All we did was tell snmpd what it needs to know when it is queried by another device using SNMPv3. We haven’t yet actually set up the user databases or the hashes needed for the authentication and encryption. To do that, you have to use net-snmp-config, at /user/bin/net-snmp-config. When you run net-snmp-config with the
--create-snmpv3-user flags, you create the authentication information needed to take advantage of SNMPv3’s security. Before we actually start running net-snmp-config, let’s take a look at what the
--create-snmpv3-user switch does. From the net-snmp-config man page:
--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES] [-A MD5|SHA] [username]
Along with the username, we have some decisions here. First, is this a read-only user or read-write (-ro). We have to decide on both an authentication passphrase, (-a authpass) and an encryption passphrase (-x privpass) if we’re using encryption. If we are using encryption, (and why wouldn’t we?) then we need to decide on the kind of encryption we’re going to use. We can choose between DES or AES, (-X DES|AES). Finally, we have to decide on the authentication mechanism, MD5 or SHA, (-A MD5|SHA). Now, when you’re deciding on the encryption protocols and authentication mechanisms, you want to make sure whatever you pick is supported by the monitoring programs that will be querying snmpd on the Mac OS X computer we’ve been setting this up on. Picking the more secure options, (AES and SHA) won’t do us much good if the monitoring software can’t use it.
There are two ways to run this command. You can run
sudo net-snmp-config --create-snmpv3-user interactively, but you lose control over what authentication and encryption protocols are used. For example:
If you want full control over creating the user, or you want to create a read-only user, you’re going to want to specify all the commands. For example, to use SHA instead of MD5 and AES instead of DES:
It’s a bit more complicated, but it does let me have more control over exactly how I want to create this user.
Once you’ve run net-snmp-config, it creates those users in a separate snmpd.conf file, located in /var/db/net-snmp/, which is only readable by root. The reason for this is because it stores the information on SNMPv3 users in plain text in this file:
createUser snmpv3test MD5 "78Y+-0u1#" DES createUser snmpv3test2 SHA "78Y+-0u1#" DES 78Y+-0u1# createUser snmpv3test3 SHA "78Y+-0u1#" AES 78Y+-0u1#
Note that this is in plain text. Anyone getting read access to this file will be able to get all the information they need to use SNMPv3 on this system. Yes, that’s insecure. But no one has claimed SNMPv3 was perfectly secure—only a lot more secure than earlier versions. However, if someone gets root access to one of your servers, you have far greater problems than them snarfing down all your SNMP traffic.
net-snmp-config also adds entries into the main snmpd.conf file, located in /usr/share/snmp/snmpd.conf:
rwuser snmpv3test rwuser snmpv3test2 rwuser snmpv3test3
The reason for this is to allow you to add SNMPv3 users to an existing configuration without having to go through snmpconf. If that’s the case, then the only thing you’d want to add is a switch telling snmpd.conf about the authentication and encryption usage for these users. In our case, we’d add
priv after each one for:
rwuser snmpv3test priv rwuser snmpv3test2 priv rwuser snmpv3test3 priv
However, if you’ve just created the user in snmpconf, and they already have an rwuser line in snmpd.conf, then you can delete the lines net-snmp-config added in your text editor of choice.
OK, so we’ve set up our SNMPv3 configuration and users, now, how do we use it all?