Setting up and using SNMPv3 on OS X

SNMPv3 setup

The first thing we have to do to use SNMPv3 is to set it up. Now, if you’re really good with snmpd.conf syntax... well, you don't need this article. However, rather than hand-editing the conf file, we’re going to take advantage of a handy utility called snmpconf. (Warning for the Terminal-phobic: SNMP requires a lot of command-line work. There’s no way to really avoid it. If you’re an administrator who still fears Terminal and the command line, you’re going to need to move past that.) snmpconf is a Perl script designed to make setting up snmp easier—something which it’s pretty good at.

One nice thing, is that if you use snmpconf with the -i switch, (snmpconf -i), it will even put the various configuration files you create and modify in their correct locations for you. Handy, no? Of course, since you’re modifying system-level configurations, you have to run snmpconf via sudo to have the -i switch work correctly, so you have:

sudo /usr/bin/snmpconf -i

When you run this, if there are any existing configuration files, (and there most likely will be), you’ll be asked if you want snmpconf to read in the data from one, some, or none of those files. I prefer to start clean, so I usually pick none. (If you already have a functional SNMP setup and are adding SNMPv3 to it, pick the more appropriate option for your setup.) Enter none and hit return. Next, you’re going to be asked what files you want to modify: snmpd.conf, snmptrapd.conf, or snmp.conf. Since we want to set up how the system responds to SNMPv3 requests from other systems, we want to modify the configuration of the SNMP daemon, snmpd. Therefore, we're going to select option 1—snmpd.conf:

The next screen will give you all the options available for snmpd. Since we’re trying to keep this at least somewhat small, and the other information is available elsewhere, we’re going to ignore all the options that don’t involve setting up SNMPv3. So, we’re going to choose option 1, Access Control Setup, because that’s where we start configuring our SNMPv3 users:

Once we’ve done this, we see we have two options for SNMPv3 setup; a read-write user and a read-only user. Since you can use SNMP to set values, not just get them, it is important to use a good password for the read-write user. As an example, a lot of networks use this setting ability, via the snmpset command, to disable ports on a switch if they detect a computer that’s been corrupted by malware, and is now trying to do inappropriate things on the network, like setting up IRC servers. So you have to give careful consideration to what the read-write user’s credentials will be. One thing you can do, and it’s not a bad idea, is to have different user logins for read-write and read-only. Monitoring software that won’t need to change settings only needs read-only access.

With all that in mind, let’s set up our read-write user, option 1:

We get an example of the arguments we’ll eventually use here, and then we’re asked for the user name. Only enter the user name here. I have learned, painfully, over the years that getting clever with snmpconf leads to madness and bad config files. Also note that snmpconf is telling you what user you’re configuring, namely rwuser:

For our example, we’re calling this user “r-wuser,” just to make what we’re doing more clear. Next, you’re asked the minimum security level required for that user with three options: noauth, auth, and priv, with the default being auth. The difference between the three is what kind of security is used for authentication. noauth is what you get with SNMPv1 and v2-no encryption; plus, as long as what you enter matches the password/community string, it’s good. auth uses either HMAC MDF or SHA to authenticate, so it’s quite a bit more secure than string matching. priv takes the mechanism used by auth, and encrypts it with DES for even more security. My preference here is to use priv. If you’re going to use noauth, there’s not much of a point in using SNMPv3. Enter the desired security level and hit return:

Next, you’re asked what OID you want to restrict this user to. As a quick background, an OID is the container for the value you’re requesting. So if you want to know uptime, you’d request the value in the 1.3.6.1.2.1.1.3.0 OID. In some cases, you may want to really lock down access to a device or devices for SNMP read-write access to a specific OID. If so, you’d enter it here. I have yet to have a need for this, so I just hit return, which grants access to all OIDs. That’s the last step in configuring the SNMPv3 read-write user, and you return back to the Access Control Setup screen:

Setting up the read-only user is identical to setting up the read-write user, so we won’t cover that in detail. Obviously, you’ll want to use a different user name for read-only than for read-write. Once you’re done, enter finished, hit return, and you move back to the snmpd config main screen:

Enter finished again, and you’re back to the snmpconf main screen:

If you enter quit here, snmpconf will write your selections to the snmpd.conf file, and move it to the correct locations. If you want to change anything before that happens, this is your last chance to do so without repeating every step. If you're happy, then enter quit and hit return. snmpconf will tell you what happened, and where it put the files.