Re: state of the trapd auth speech
This is a discussion on Re: state of the trapd auth speech within the SNMP Coders forums, part of the Networking and Network Related category; Wes Hardaker wrote: >>>>>> On Mon, 24 Oct 2005 00:24:30 +0200, Thomas Anders &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-19-2006
|
|||
|
|||
Re: state of the trapd auth speech
Wes Hardaker wrote:
>>>>>> On Mon, 24 Oct 2005 00:24:30 +0200, Thomas Anders <thomas.anders@blue-cable.de> said: > > Thomas> Is there a way to allow *all* SNMPv3/USM users to e.g. > Thomas> "log,execute,net"? If there's not, then we'll effectively ruin > Thomas> the advantages of snmptrapd usmUserTable management, won't we? > Thomas> One can still add them on-the-fly, but not do anything with > Thomas> them. :-( > > Correct. The VACM MIBs need extending to allow on the fly VACM > management as well. Eight month later we don't seem to be any closer to this. I still feel there's a large gap between "disableAuthorization yes" (== pre-5.3 default insecure behaviour) and this potential will-it-ever-happen per-user on-the-fly access control management. How do people think about filling the gap with something reasonable? Without having looked into whether/how it could be done (yet), what about something along the lines of authuser * log,execute,net authNoPriv (i.e. allow something for *all* SNMPv3/USM users)? Of course this should also cover USM users added via usmUserTable manipulations. Comments? +Thomas -- Thomas Anders (thomas.anders at blue-cable.de) _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/...et-snmp-coders 
|
Linear Mode
