I spent some time this past week setting up snmpv3 and now have it mostly working. I didn't find too much in the way of documentation or examples so I wanted to provide what I did in case it is helpful to others.
A couple of points:
The net-snmp snmpd packaged in in the repository is built without openssl. This means the most secure mode you can use is authnoPriv which gets you secure authentication but not encryption of the traffic.
Configuring snmpv3 users requires minor custom modifications. The modifications I am using below are inelegant but appear to get the job done They also will require you to reapply them anytime update the package. If someone has a better way please let me know.
Modify /etc/init.d/snmpd adding the lines below:
config_foreach snmpd_sink_add informsink informsink append_authtrapenable authtrapenable enable authtrapenable append_parm v1trapaddress host v1trapaddress append_parm trapsess trapsess trapsess <begin added text> echo "" >> $CONFIGFILE echo "" >> $CONFIGFILE echo "createUser <username> MD5 \"<auth pw>\"" >> $CONFIG echo "rwuser monitbot" >> $CONFIGFILE echo "" >> $CONFIGFILE echo "" >> $CONFIGFILE <end added text> procd_set_param command $PROG -Lf /dev/null -f procd_set_param file $CONFIGFILE procd_set_param respawn
If you have a snmpd package that was built with openssl you can add the encryption password as shown below:
echo "createUser <username> MD5 \"<auth pw>\" DES \"<encryption PW>\"" >> $CONFIG
Below is an snmpwalk example that should work with the configuration above
snmpwalk -v3 -a MD5 -x DES -A <auth pw> -l authnoPriv -u <username> <ip or hostname> [<oid>]
or authPriv if you have an openssl snmpd package.
snmpwalk -v3 -a MD5 -x DES -A <auth pw> -X <encryption pw> -l authPriv -u <username> <ip or hostname> [<oid>]
You should also look at removing or commenting out all of the snmpv1 and snmpv2c access in /etc/config/snmpd.
I ended up commenting out everything but the lines below:
option agentaddress 'UDP:1:161'
. . .
option sysLocation 'Our Home'
option sysContact 'firstname.lastname@example.org'
option sysName 'openwrt'
. . .
option engineidtype '3'
option engineidnic 'eth0'
config snmpd 'general'
option enabled '1'
I am new to openwrt and don't have a great deal of experience with snmpv3 so if you know of a better way please post below.