Configuring snmpv3 user

Hi

I'm struggling with configuring authentication for snmpd, mainly how to configure user access

First I added the user by adding a line like this in /usr/lib/snmp/snmpd.conf

createUser myuser MD5 "pass123"

I think this was accepted because my requests went from Unknown user name to authorizationError (access denied to that object)

Now I think I'm supposed to add a line like this in /etc/snmp/snmpd.conf

rwuser myuser auth

But since this file is generated by uci I can't edit it and I can't find anywhere the uci commands to generate this configuration. I've been doing trial and error back and forth but nothing ever made it into snmpd.conf. I'm guessing there's a syntax check or something somewhere that would give me clues but I don't know where that is...

Currently I have this in /etc/config/snmpd based on something I found on google

config rwuser
	option username 'myuser'
	option securitylevel 'auth'
	option view 'all'

Ok I figured out how it works and the reason I'm not getting any rwuser entries is because my /etc/init.d/snmpd doesn't generate this config, and from the looks of it neither does https://github.com/openwrt/packages/blob/master/net/net-snmp/files/snmpd.init

Am I missing something or am I just the first person in the history of mankind to use this configuration? :slight_smile:

PS After adding a section like below (and a config_foreach snmpd_rwuser_add rwuser) I got it working

snmpd_rwuser_add() {                                                             
        local cfg="$1"                                                      
        local rwuser='rwuser'                                                   
                                                                            
        config_get username "$cfg" username                                                    
        [ -n "$username" ] || return 0                                                          
        config_get securitylevel "$cfg" securitylevel                                         
        [ -n "$securitylevel" ] || return 0                                             
        echo "$rwuser $username $securitylevel" >> $CONFIGFILE                           
}

After years of configuring and using SNMP on devices at work my advice would be to only use SNMPv3 if you absolutely have to have encryption. It's buggy, difficult to configure and in 90% of applications little to no more functionality than v2. In an enterprise environment it's easier to run SNMP on a non-routed vlan that's only accessible to privileged staff than to try and reliably run encryption on dumb devices such as UPS and PDU management cards.

Sorry that's no particular help to your specific problem, but hopefully the advice is useful generally :man_shrugging:t2:

1 Like

Thanks, that's a neat idea and I'm sure your advice is useful generally, but in my case that decision is out of my hands, I have to go with snmpv3 authentication. The "dumb device" in our case is OpenWRT so I hope we're good as soon as I got it configured right :slight_smile:

I figured out I can simply add the 'rwuser' line in /usr/lib/snmp/snmpd.conf instead, uci would actually have been better for us but this is ok for now

Did you still need to add the createUser line to the snmpd.conf or did you just need to add the rwuser to the snmpd.conf file?