Setting Up snmpv3

digitalhack · February 6, 2021, 5:26pm

Hello,

I spent some time this past week setting up snmpv3 and now have it mostly working. I didn't find too much in the way of documentation or examples so I wanted to provide what I did in case it is helpful to others.

A couple of points:

The net-snmp snmpd packaged in in the repository is built without openssl. This means the most secure mode you can use is authnoPriv which gets you secure authentication but not encryption of the traffic.

Configuring snmpv3 users requires minor custom modifications. The modifications I am using below are inelegant but appear to get the job done They also will require you to reapply them anytime update the package. If someone has a better way please let me know.

Modify /etc/init.d/snmpd adding the lines below:

   config_foreach snmpd_sink_add informsink informsink
   append_authtrapenable authtrapenable enable authtrapenable
   append_parm v1trapaddress host v1trapaddress
   append_parm trapsess trapsess trapsess

   <begin added text>
   echo "" >> $CONFIGFILE
   echo "" >> $CONFIGFILE
   echo "createUser <username> MD5 \"<auth pw>\"" >> $CONFIG
   echo "rwuser monitbot" >> $CONFIGFILE
   echo "" >> $CONFIGFILE
   echo "" >> $CONFIGFILE
   <end added text>

   procd_set_param command $PROG -Lf /dev/null -f
   procd_set_param file $CONFIGFILE
   procd_set_param respawn

If you have a snmpd package that was built with openssl you can add the encryption password as shown below:

  echo "createUser <username> MD5 \"<auth pw>\" DES \"<encryption PW>\"" >> $CONFIG

Below is an snmpwalk example that should work with the configuration above

  snmpwalk -v3 -a MD5 -x DES -A <auth pw> -l authnoPriv -u <username> <ip or hostname> [<oid>]

or authPriv if you have an openssl snmpd package.

  snmpwalk -v3 -a MD5 -x DES -A <auth pw> -X <encryption pw> -l authPriv -u <username> <ip or
  hostname> [<oid>]

You should also look at removing or commenting out all of the snmpv1 and snmpv2c access in /etc/config/snmpd.

I ended up commenting out everything but the lines below:

config agent
option agentaddress 'UDP:1:161'

. . .

config system
option sysLocation 'Our Home'
option sysContact 'gjd.email@gmail.com'
option sysName 'openwrt'

. . .

config engineid
option engineidtype '3'
option engineidnic 'eth0'

config snmpd 'general'
option enabled '1'

I am new to openwrt and don't have a great deal of experience with snmpv3 so if you know of a better way please post below.

Thanks,

digitalhack

Anubiar · April 10, 2022, 3:37pm

Hi, I have the openwrt device too. When I modify my files like you describe above I've got the "/etc/rc.common: line 1: can't create: nonexistent directory". What is it?

RuralRoots · April 10, 2022, 4:11pm

This line has been truncated:

echo "createUser <username> MD5 \"<auth pw>\"" >> $CONFIG

Try replacing it with:

echo "createUser <username> MD5 \"<auth pw>\"" >> $CONFIGFILE

Anubiar · April 10, 2022, 4:27pm

Thanks, it works. But I've got "Encryption support not enabled"...DES the device has. Do you know how I can use the encryption?

RuralRoots · April 10, 2022, 5:30pm

Sorry, I can’t help there. I use V2 for my purposes.