Getting netsnmp ready for VACM

We are working on some cool SNMPv3 security features for the upcoming Unbrowse SNMP R1.5 release. Among other things, you can create users, restrict their access, change their passwords, just as you would a on your website or computer. All gory details of USM / VACM are hidden away.

I was running some tests with our beta build against a net-snmp server on a Fedora (FC5) box. I found several issues before getting netsnmp to respond to VACM correctly.  I hope this post helps folks who want to move completely to SNMPv3 (completely disabling the insecure SNMPv1 and SNMPv2).

Step 1 : Uninstall old version of net-snmp

Check the RPM names for snmp by typing

root$ rpm -qa | grep snmp

Delete all the RPMs listed (use “rpm -e”, example below)
root$ rpm -e net-snmp-utils-5.2.1.2-fc4.1
 

Step 2 : Upgrade to version net-snmp 5.4 atleast
I had installed the 5.2.1.2 RPM on our test Fedora 5 server. Unfortunately this has some bugs with the VACM subsystem. It would not allow you to create a new treefamily if one with the same name already existed. To fix this issue you need to compile the source.  Here are some problems you might encounter if when you compile.

Missing BeeCrypt

You need BeeCrypt (an open source crypto library) to compile netsnmp, if you do not have it installed (Fedora does not install it by default), you will get an error similar to

libtool: link: cannot find the library /usr/lib/libbeecrypt.la' or unhandled argument /usr/lib/libbeecrypt.la' make[1]: *** [snmpd] Error 1 make[1]: Leaving directory `/home/vivek/netsnmp/net-snmp-5.4/agent'

To install BeeCrypt, logon as root and type

root$ yum install beecrypt

Missing elfutils

Redhat 8.0 and above did not have elfutils installed by default. You need to install it manually in FC4 and above. If you do not have it, you will get an error similar to :

-rpath -Wl,/usr/local/lib /usr/bin/ld: cannot find -lelf collect2: ld returned 1 exit statusTo install elfutils, logon as root and type

root$ yum install elfutils-devel

You are all set ! New netsnmp version is installed. Everything should work fine now, except for a small problem with VACM.

Step 3 : Need a patch for VACM

Whats the problem ?

Let us say we want to create a security profile for Cacti. Note that with SNMPv3 you are not dealing directly with users but with management systems. Now, Cacti is a graphing tool which is pulling out some SNMP variables from some MIBs. So we can allow them read access to the entire MIB tree. However, we cannot allow Cacti users to in turn create new users with a security profile better than themselves. We disallow this by new blocking the security (.1.3.6.1.6 ) tree.

Do do this we create a view called “cacti-view”, by point and click using a beta of Unbrowse SNMP 1.5.

After Unbrowse did its thing, the tree family table read correctly as (snmpwalk output):

vacmViewTreeFamilyType."cacti-view".1.1 = INTEGER: included(1)
vacmViewTreeFamilyType."cacti-view".5.1.3.6.1.6 = INTEGER: excluded(2)

However, when trying to retrieve sysUpTime, the SNMP server blocked that even though it is inclulded in the view ! This bug prevents us from using VACM effectively.

 

I trawled the mailing list archives for net-snmp looking for a bug report but found none. After a long session with gdb ( I absolutely hate linux debugging ), I managed to track down the problem to a bug in file vacm.c ( function netsnmp_view_subtree_check ). Later,while I was googling for something else and I found that there is already a patch pending for this problem here. 

Lesson : Look for pending patches first, then look for bug reports, lastly search the mailing lists.

You must apply the patch and recompile netsnmp again. Now, VACM will work as expected. You are now ready to define access control for your management stations.

Stay tuned for more on SNMP security.

 

[tags] security, SNMPv3, VACM, USM, MIB, MIB Browser [/tags]

Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.