bsnmpd configuration question - enabling SNMPv3 authentication

Geekazoid · Mar 29, 2022

Good Day! I have an issue which has me stumped. If I start bsnmpd with only SNMP v1 or v2 configured, it works properly. I am able to snmpwalk the machine with proper results.

Alas, when I configure /etc/snmpd.config for SNMPv3, my snmpwalk times out. My eyes are hurting from checking the config and debugging. :-(

I have worked through these to no avail:

Call for testers: SNMPv3 support for bsnmpd(1)

bsnmpd(1)

www.freebsd.org

snmp v3 clients for LibreNMS

snmp v3 clients for LibreNMS. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

freebsd/etc/snmpd.config at master · lattera/freebsd

FreeBSD's source with custom patches. Contribute to lattera/freebsd development by creating an account on GitHub.

github.com

From the server I have run:

Code:

snmpwalk -v 3 -a SHA-256 -A 'bsnmptest' -l authPriv -u bsnmp -x AES -X 'bsnmptest' 127.0.0.1
Timeout: No Response from 127.0.0.1

 bsnmpwalk -A proto=sha -v 3 -d -C context-engine=0x801008108025 -P proto=aes -U name=bsnmp -o verbose
GET SNMPv3 'public' request_id=0 error_status=0 error_index=0
REPORT SNMPv3 '' request_id=0 error_status=0 error_index=0
 [0]: 1.3.6.1.6.3.15.1.1.4.0=COUNTER 0
Engine ID 0x801008108025
Boots : 151             Time : 80
Localized keys for bsnmp
SHA : 0x22981a6e3993165e6a211bd8a981310516333860
AES : 0x22981a6e3993165e6a211bd8a9813105
GETNEXT SNMPv3 'public' request_id=1 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GETNEXT SNMPv3 'public' request_id=2 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GETNEXT SNMPv3 'public' request_id=3 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GETNEXT SNMPv3 'public' request_id=4 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GET SNMPv3 'public' request_id=5 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GET SNMPv3 'public' request_id=6 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GET SNMPv3 'public' request_id=7 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
GET SNMPv3 'public' request_id=8 error_status=0 error_index=0
 [0]: 1.3.6.1.2.1=NULL
bsnmpwalk: Snmp dialog: Operation timed out

I have only uncommented lines in snmpd.config in an effort to get authentication working. Alas, it does not. A diff from the default /etc/snmpd.config with /etc/snmpd.config after attempting to enable SNMPv3 follows:

Code:

21,22c21,22
< engine := 0x80:0x10:0x08:0x10:0x80:0x25
< snmpEngineID = $(engine)
---
> # engine := 0x80:0x10:0x08:0x10:0x80:0x25
> # snmpEngineID = $(engine)
71,72c71,72
< user1 := "bsnmp"
< user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60
---
> #user1 := "bsnmp"
> #user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60
181c181
< begemotSnmpdModulePath."usm"  = "/usr/lib/snmp_usm.so"
---
> #begemotSnmpdModulePath."usm" = "/usr/lib/snmp_usm.so"
186c186
< begemotSnmpdModulePath."vacm" = "/usr/lib/snmp_vacm.so"
---
> #begemotSnmpdModulePath."vacm"        = "/usr/lib/snmp_vacm.so"
198c198
< %usm
---
> #%usm
205,210c205,210
< usmUserStatus.$(engine).$(user1) = 5
< usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
< usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
< usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
< usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
< usmUserStatus.$(engine).$(user1) = 1
---
> # usmUserStatus.$(engine).$(user1) = 5
> # usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
> # usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
> # usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
> # usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
> # usmUserStatus.$(engine).$(user1) = 1
217,220c217,220
< usmUserStatus.$(engine).$(read) = 5
< usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol)
< usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol)
< usmUserStatus.$(engine).$(read) = 1
---
> # usmUserStatus.$(engine).$(read) = 5
> # usmUserAuthProtocol.$(engine).$(read) = $(NoAuthProtocol)
> # usmUserPrivProtocol.$(engine).$(read) = $(NoPrivProtocol)
> # usmUserStatus.$(engine).$(read) = 1
226c226
< %vacm
---
> #%vacm
237,240c237,240
< vacmSecurityToGroupStatus.$(securityModelUSM).$(user1) = 4
< vacmGroupName.$(securityModelUSM).$(user1) = $(write)
< vacmSecurityToGroupStatus.$(securityModelUSM).$(read) = 4
< vacmGroupName.$(securityModelUSM).$(read) = $(write)
---
> # vacmSecurityToGroupStatus.$(securityModelUSM).$(user1) = 4
> # vacmGroupName.$(securityModelUSM).$(user1) = $(write)
> # vacmSecurityToGroupStatus.$(securityModelUSM).$(read) = 4
> # vacmGroupName.$(securityModelUSM).$(read) = $(write)

What have I missed?

TIA,
glenn

Geekazoid · Mar 29, 2022

Good Day!

Does anyone have a working example snmpd.config for bsnmpd? I have bsnmpd working for v1 and v2. Alas, I have been unable to get SNMPv3 working with encryption. Any recommendations would be greatly appreciated.
I have read through:

Call for testers: SNMPv3 support for bsnmpd(1)

Thank You!!!
glenn

covacat · Mar 29, 2022

Code:

$bsnmpget  -s 10.1.1.2 sysUpTime.0
Engine ID 0x801008108025
Boots : 284        Time : 1247
Localized keys for bsnmp
SHA : 0x22981a6e3993165e6a211bd8a981310516333860
AES : 0x22981a6e3993165e6a211bd8a9813105

sysUpTime.0 = 124738

$snmpget -l authPriv -u bsnmp -a SHA -3k 0x22981a6e3993165e6a211bd8a981310516333860 -x AES -3K 0x22981a6e3993165e6a211bd8a9813105  10.1.1.2 sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (81582) 0:13:35.82

Geekazoid · Mar 29, 2022

Thank You for sharing covacat!

I tried your commands on my system and received the following:

Code:

# bsnmpget -s 172.16.249.93 sysUpTime.0
Engine ID 0x801008108025
Boots : 151             Time : 79817
Localized keys for bsnmp
SHA : 0x22981a6e3993165e6a211bd8a981310516333860
AES : 0x22981a6e3993165e6a211bd8a9813105
bsnmpget: Snmp dialog: Operation timed out

# snmpget -l authPriv -u bsnmp -a SHA -3k 0x22981a6e3993165e6a211bd8a981310516333860 -x AES -3K 0x22981a6e3993165e6a211bd8a9813105 172.6.249.93 sysUpTime.0
snmpget: Timeout (Sub-id not found: (top) -> sysUpTime)

Both operations timed-out. I fear I have something misconfigured in my snmpd.config file but am not sure what.?.

Any other ideas?

glenn

covacat · Mar 30, 2022

here is my snmpd.config

https://termbin.com/g62j

dvl@ · Oct 21, 2023

covacat said:
here is my snmpd.config

https://termbin.com/g62j

That does not seem to be the right file.

covacat · Oct 22, 2023

maybe termbin recycles ids
uploaded again

https://termbin.com/qi9e

dvl@ · Oct 22, 2023

covacat said:
maybe termbin recycles ids
uploaded again

https://termbin.com/qi9e

Thanks for the repost.

Hmm. Am I doing this wrong?

Code:

[18:36 empty dan ~] % export SNMPPASSWD=bsnmptest                       

[18:36 empty dan ~] % export SNMPUSER=bsnmp     

[18:41 empty dan ~] % bsnmpget -v 3 -D -K -o verbose -s 10.55.0.21 -d       
GET SNMPv3 'public' request_id=0 error_status=0 error_index=0
GET SNMPv3 'public' request_id=1 error_status=0 error_index=0
GET SNMPv3 'public' request_id=2 error_status=0 error_index=0
GET SNMPv3 'public' request_id=3 error_status=0 error_index=0
bsnmpget: Unknown SNMP Engine ID: Operation timed out

[18:37 empty dan ~] % sockstat -p 161 -4           
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     bsnmpd     52455 6  udp4   10.55.0.21:161        *:*

net-mgmt/net-snmp can talk to snmpwalk, so I conclude this is not a networking issue.