\documentclass[solutions]{ictlab}% DO NOT EDIT---WILL BE OVERWRITTEN % Copyright (c) 2003 by Nick Urbanik . % This material may be distributed only subject to the terms and % conditions set forth in the Open Publication License, v1.0 or later % (the latest version is presently available at % http://www.opencontent.org/openpub/). \RCS $Revision: 1.6 $ \usepackage{verbatim,alltt,key,biganswerbox,xr} \usepackage[hang,bf,nooneline]{caption2} \ifx\pdftexversion\undefined \else \usepackage[pdfpagemode=None,pdfauthor={Nick Urbanik}]{hyperref} \fi \externaldocument[s3-]{../../lectures/snmp-v3/snmp-v3} \newcommand*{\labTitle}{SNMP VACM and USM Tutorial} \providecommand*{\SNMP}{\acro{SNMP}\xspace} \providecommand*{\MIB}{\acro{MIB}\xspace} \providecommand*{\ID}{\acro{ID}\xspace} \providecommand*{\OID}{\acro{OID}\xspace} \providecommand*{\USM}{\acro{USM}\xspace} \providecommand*{\VACM}{\acro{VACM}\xspace} \renewcommand{\floatpagefraction}{0.75} % default is .5, to increase % density. \renewcommand*{\bottomfraction}{0.6} % default is 0.3 \renewcommand*{\topfraction}{0.85} % default is 0.7 \renewcommand*{\textfraction}{0.1} % default is 0.2 \begin{document} \section{Aims} \label{sec:aims} The main aims of the activities today are: \begin{itemize} \item To understand how to configure and install an \SNMP agent on your computer; \item To understand how to use \VACM to provide access control to any chosen set of variables; \item To understand how to create \USM accounts and use them with strong authentication and encryption. \end{itemize} \section{Procedure} \label{sec:procedure} The agent is called \texttt{snmpd}. The configuration for the agent is in the file \path{/etc/snmp/snmpd.conf}. Your root password is as described in \url{http://ictlab.tyict.vtc.edu.hk/snm/lab/regular-expressions/regular-expresssions.pdf}: \texttt{)3SnhGxv9}. Set up \texttt{sudo} as described in \url{http://ictlab.tyict.vtc.edu.hk/ossi/lab/sudo/sudo.pdf}. Edit your login script: \begin{alltt} $ \textbf{emacs \(\sim\)/.bash_profile &} \end{alltt}%$ and add the following two lines: \begin{alltt} export http_proxy=http://dproxy.vtc.edu.hk:8080/ PATH=$PATH:/sbin:/usr/sbin \end{alltt}%$ and save (\key{Control-x}\key{Control-s}). Then exit (\key{Control-x}\key{Control-c}). Finally \emph{source} your login script with \begin{alltt} $ \textbf{. \(\sim\)/.bash_profile} \end{alltt}%$ \begin{enumerate} \item Install the updated software packages: \begin{alltt} $ \textbf{sudo yum install net-snmp\bs*} \end{alltt}%$ Actually, I think that it is probably best to apply \emph{all} the updates: \begin{alltt} $ \textbf{sudo yum -y update} \end{alltt}%$ \item Edit the configuration for the \SNMP agent: \begin{alltt} $ \textbf{xhost +localhost} $ \textbf{sudo -v} $ \textbf{sudo emacs /etc/snmp/snmpd.conf &} \end{alltt}%$ \begin{explanation} The first line allows users other than your own account (such as the user root) to display graphical objects on your local X server. The second line starts a new five-minute password free period for \texttt{sudo}. If the five-minute period has expired, then the editor cannot start in the background; \texttt{sudo} will wait for you to bring it to the foreground by typing \texttt{fg}, so that you can enter your password. Typing \texttt{sudo -v} simply avoids this inconvenience. \end{explanation} \item Start the agent: \begin{alltt} $ \textbf{sudo /sbin/service snmpd start} \end{alltt}%$ \item Enable the agent to always start when the computer boots: \begin{alltt} $ \textbf{sudo /sbin/chkconfig snmpd on} $ \textbf{/sbin/chkconfig snmpd --list} \end{alltt} \begin{explanation} The first command ensures that the next time a computer boots on your hard disk, it will start the agent \texttt{snmpd} whenever it moves into runlevels 3, 4 or 5. The second command lists which runlevels \texttt{snmpd} will start at, to confirm to yourself that the previous command worked. %% Note: you may wish to add the directories \texttt{/sbin} and %% \texttt{/usr/sbin} to your \texttt{PATH} in your login script, %% $\sim$\texttt{/.bash\_profile}. The line you would want to add %% is: %% \begin{verbatim} %% export PATH=$PATH:/sbin:/usr/sbin %% \end{verbatim}%$ \end{explanation} \item Note that any time you change the configuration for the agent (by editing \texttt{/etc\allowbreak/snmp\allowbreak/snmpd.conf}), you will need to restart the agent to get it to read the new configuration with: \begin{alltt} $ \textbf{sudo /sbin/service snmpd restart} \end{alltt}%$ \end{enumerate} \subsection{How do I Tell If It Worked?} \label{sec:how-tell-it-worked} When you restart the agent, any \emph{syntax errors} will be shown in the system logs. You should open another window and watch the logs with the command: \begin{alltt} $ \textbf{sudo tail -f /var/log/messages} \end{alltt}%$ \paragraph{How do you test your VACM Configuration?} To test \emph{read-only access control}, use \texttt{snmpget}, \texttt{snmpgetnext} or \texttt{snmpbulkwalk} to access the variables using the security name that belongs to the group you are controlling access to. To test \emph{read-write access control}, use \texttt{snmpset}. See \texttt{man snmpcmd} for details about how to specify \USM usernames and keys for authentication and ``privacy'' (encryption). See also slide~\S\pageref{s3-sld:testing-usm-users} in the \SNMP{}v3 lecture notes for examples of using \texttt{snmpget} on \USM accounts. \section{Questions} \label{sec:questions} \newlength{\BW} \setlength{\BW}{27mm} Refer to my notes about \VACM and \USM. \begin{enumerate} \item Create two security names with different community strings using \texttt{com2sec} in your agent's configuration, in \texttt{/etc/snmp/snmpd.conf}. \begin{biganswerbox}[\BW]% \begin{solution}% \begin{alltt} com2sec usera default comm1 com2sec userb default comm2 \end{alltt} \end{solution} \end{biganswerbox} \item \label{que:view}Create a view that includes all the 22 columns for the first network interface in the \texttt{ifTable} (i.e., from IF-MIB::ifEntry.1 to IF-MIB::ifSpecific.1), and another view that includes all the 22 columns of the second network interface in the \texttt{ifTable} (i.e., from IF-MIB::ifEntry.2 to IF-MIB::ifSpecific.2). \begin{biganswerbox}[\BW]% \begin{solution}% \begin{alltt} view view1 included IF-MIB::ifIndex.1 ff.a0 view view2 included IF-MIB::ifIndex.2 ff.a0 \end{alltt} \end{solution} \end{biganswerbox} \item Create two groups that map the security names to each of the two access control entries in your agent's configuration, in \texttt{/etc/snmp/snmpd.conf}. \begin{biganswerbox}[\BW]% \begin{solution}% \begin{alltt} group groupa v1 usera group groupa v2c usera group groupb v1 userb group groupb v2c userb \end{alltt} \end{solution} \end{biganswerbox} \item Implement read only access for each of your two users to each of the two views you created earlier for question~\vref{que:view}. \begin{biganswerbox}[\BW]% \begin{solution}% \begin{alltt} access groupa "" any noauth exact view1 none none access groupb "" any noauth exact view2 none none \end{alltt} \end{solution} \end{biganswerbox} \item Implement this and verify that the access control works. Write here how you verified that it works. \begin{biganswerbox}[3.5\BW]% \begin{solution}% \begin{alltt} $ \textbf{snmpget -v 2c -c comm1 localhost IF-MIB::ifDescr.1} IF-MIB::ifDescr.1 = STRING: lo $ \textbf{snmpget -v 2c -c comm1 localhost IF-MIB::ifDescr.2} IF-MIB::ifDescr.2 = No Such Object available on this agent at this OID $ \textbf{snmpget -v 2c -c comm2 localhost IF-MIB::ifDescr.1} IF-MIB::ifDescr.1 = No Such Object available on this agent at this OID $ \textbf{snmpget -v 2c -c comm2 localhost IF-MIB::ifDescr.2} IF-MIB::ifDescr.2 = STRING: eth0 \end{alltt} \end{solution} \end{biganswerbox} \clearpage \item Now create two \USM users, and configure them so that access works to the two views you created. Comment out the \texttt{com2sec} mappings, so that only \USM access is permitted. Demonstrate that this works. \begin{biganswerbox}[0.9\textheight]% \begin{solution}% \begin{itemize} \item Just to be sure, we comment out the previous group mappings for the \texttt{v1} and \texttt{v2c} security models, and add group mappings only for our \USM users. \begin{alltt} # group groupa v1 usera # group groupa v2c usera group groupa usm usera # group groupb v1 userb # group groupb v2c userb group groupb usm userb \end{alltt} \item Next, let us create two \USM user accounts: \begin{alltt} $ \textbf{sudo service snmpd stop} $ \textbf{sudo net-snmp-config --create-snmpv3-user \bs -a "my_password1" usera} adding the following line to /var/net-snmp/snmpd.conf: createUser usera MD5 "my_password1" DES adding the following line to /usr/share/snmp/snmpd.conf: rwuser usera $ \textbf{sudo net-snmp-config --create-snmpv3-user \bs -a "my_password2" userb} adding the following line to /var/net-snmp/snmpd.conf: createUser userb MD5 "my_password2" DES adding the following line to /usr/share/snmp/snmpd.conf: rwuser userb \end{alltt}%$ \item Now delete the file \path{/usr/share/snmp/snmpd.conf} after verifying that it contains only the two \texttt{rwuser} lines, then start the agent again \begin{alltt} $ \textbf{cat /usr/share/snmp/snmpd.conf} rwuser usera rwuser userb $ \textbf{sudo rm /usr/share/snmp/snmpd.conf} $ \textbf{sudo service snmpd start} \end{alltt}%$ \item Now access your network interface information using each of these two users: \begin{alltt} $ \textbf{snmpget -v 3 -u usera -l authNoPriv -a MD5 \bs -A my_password1 localhost IF-MIB::ifDescr.1} IF-MIB::ifDescr.1 = STRING: lo $ \textbf{snmpget -v 3 -u usera -l authNoPriv -a MD5 \bs -A my_password1 localhost IF-MIB::ifDescr.2} IF-MIB::ifDescr.2 = No Such Object available on this agent at this OID \end{alltt} \item Do the same for \texttt{userb}. \end{itemize} \end{solution} \end{biganswerbox} \end{enumerate} \begin{solution}% \begin{itemize} \item Now test encryption: \begin{alltt} $ \textbf{snmpget -v 3 -u usera -l authPriv -a MD5 \bs -A my_password1 -x DES -X my_password1 localhost IF-MIB::ifDescr.1} IF-MIB::ifDescr.1 = STRING: lo $ \textbf{snmpget -v 3 -u usera -l authPriv -a MD5 \bs -A my_password1 -x DES -X my_password1 localhost IF-MIB::ifDescr.2} IF-MIB::ifDescr.2 = No Such Object available on this agent at this OID \end{alltt} \item You could use \texttt{ethereal} to verify that the communication is encrypted. Do the same for \texttt{userb}. Experiment. Try entering the wrong password: \begin{alltt} $ \textbf{$ snmpget -v 3 -u usera -l authNoPriv -a MD5 \bs -A my_password14 localhost IF-MIB::ifDescr.1} snmpget: Authentication failure (incorrect password, community or key) \end{alltt} \end{itemize} \end{solution} \end{document}