Denying v1 & v2c access to object/subtree?
This is a discussion on Denying v1 & v2c access to object/subtree? within the SNMP Users forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C5EBA8.3BD06E39 Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-18-2005
|
|||
|
|||
Denying v1 & v2c access to object/subtree?
This is a multi-part message in MIME format.
------_=_NextPart_001_01C5EBA8.3BD06E39 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From my reading of FAQs and old messages, it seems that what I want to do is possible. However, I have not figured it out yet. =20 From the FAQ: How do I configure access control? --------------------------------- =09 The simplest way is to use the configure directives: =09 rocommunity public (for SNMPv1/2c) rwcommunity private or rouser user1 (for SNMPv3) rwuser user2 =09 These specify the community names or security names to accept for read-only and read-write access to the whole of the supported MIB tree. (Obviously you should change these names to match your requirements - which is a particularly good idea in the case of 'rwcommunity'!) =09 [...] =09 All four of these settings can can also be restricted to particular subtrees, and/or request sources. See 'snmpd.conf(5)' for details. =09 These directives are effectively wrappers round the core access control mechanism, which uses the four directives 'com2sec', 'group', 'view' and 'access' to provide a more efficient and flexible control over who can access which portions of the tree. And from the snmpd.conf(5) man page: ## Net-SNMP default configuration com2sec public default public=20 group public v1 public=20 group public v2c public=20 group public usm public=20 view all included .1=20 access public "" any noauth exact all none none Based on this information and the descriptions of com2sec, group, view, and access in the man page and other resources I found, I figured I could put something like: view special excluded .1.3.6.1.4.1.253.8.53.5 access public "" any noauth exact special special special into snmpd.conf. If I then WALK 1.3.6.1.6.3 I can see entries for public and special, but there is no effect on accessing the MIB object. =20 Am I trying to do something that is not really possible? Or am I just missing something? =20 (The rest of this may be more appropriate on the coders list, but I figured I would keep it all together.) =20 Alternatively, I could do additional code work. Our extensions utilize the old API and only get the information as defined in the FindVarMethod function typedef. After a cursory investigation, it looks like the new API would provide me with a netsnmp_pdu object which contains the snmp_version field from which I will know if the request was made using v1, v2c, or v3 protocol. I could then return an error for the v1 and v2c calls and process the v3 calls. Is this correct? =20 The only question then left is verifying that the v3 request was actually made with both authentication and encryption. I assume this can be done with users and views as well, but is there something in the structure that I did not see that would indicate this information? =20 Thanks, so very much! Tim D. Hammer Software Developer Xerox Corporation 250 CrossKeys Office Park, M/S 0820-03F Fairport, NY 14450 Phone: 585/425-6781 Internal: 8*225-6781 Fax: 585/425-6351 Tim.Hammer@xerox.com =20 XEROX Technology. Document Management. Consulting Services =20 www.xerox.com <http://www.xerox.com/>=20 =20 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you. =20 ------_=_NextPart_001_01C5EBA8.3BD06E39 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1522" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005>From = my reading of=20 FAQs and old messages, it seems that what I want to do is possible. = However, I=20 have not figured it out yet.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D382502317-17112005></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005>From = the=20 FAQ:</SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV><FONT face=3D"Courier New" size=3D2><SPAN = class=3D382502317-17112005>How do I=20 configure access = control?<BR>---------------------------------<BR><BR>The=20 simplest way is to use the configure=20 directives:<BR><BR> & nbsp; = rocommunity=20 public (for=20 = SNMPv1/2c)<BR> & nbsp;rwcommunity= =20 private<BR> =20 or<BR> rouser user1 (for=20 SNMPv3)<BR> &nb sp; rwuser=20 user2<BR><BR> These specify the community names or security = names to=20 accept for<BR> read-only and read-write access to the whole of = the=20 supported MIB tree.<BR> (Obviously you should change these names = to=20 match your requirements -<BR> which is a particularly good idea = in the=20 case of 'rwcommunity'!)<BR><BR> [...]<BR><BR> All four of = these=20 settings can can also be restricted to particular<BR> subtrees, = and/or=20 request sources. See 'snmpd.conf(5)' for details.<BR><BR> = These=20 directives are effectively wrappers round the core access = control<BR> =20 mechanism, which uses the four directives 'com2sec', 'group', = 'view'<BR> =20 and 'access' to provide a more efficient and flexible = control<BR> over=20 who can access which portions of the = tree.</SPAN></FONT></DIV></BLOCKQUOTE> <DIV dir=3Dltr><FONT face=3DArial size=3D2><SPAN = class=3D382502317-17112005>And from the=20 snmpd.conf(5) man page:</SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20 class=3D382502317-17112005></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV dir=3Dltr><FONT face=3D"Courier New">## Net-SNMP default=20 configuration<BR>com2sec public default public <BR>group public v1 = public=20 <BR>group public v2c public <BR>group public usm public <BR>view all = included=20 .1 <BR>access public "" any noauth exact all none=20 none</DIV></BLOCKQUOTE></FONT></SPAN></FONT> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005>Based = on this=20 information and the descriptions of com2sec, group, view, and access in = the man=20 page and other resources I found, I figured I could put something=20 like:</SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV><FONT face=3DArial size=3D2><SPAN = class=3D382502317-17112005><FONT=20 face=3D"Courier New">view special excluded = ..1.3.6.1.4.1.253.8.53.5<BR>access=20 public "" any noauth exact special special=20 special</FONT></SPAN></FONT></DIV></BLOCKQUOTE> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005>into = snmpd.conf. If=20 I then WALK 1.3.6.1.6.3 I can see entries for public and special, but = there is=20 no effect on accessing the MIB object.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D382502317-17112005></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005>Am I = trying to do=20 something that is not really possible? Or am I just missing=20 something?</DIV></SPAN></FONT> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><SPAN class=3D382502317-17112005><FONT face=3DArial size=3D2>(The = rest of this=20 may be more appropriate on the coders list, but I figured I would keep = it all=20 together.)</FONT></SPAN></DIV> <DIV align=3Dleft><SPAN class=3D382502317-17112005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV align=3Dleft><SPAN class=3D382502317-17112005><FONT face=3DArial=20 size=3D2>Alternatively, I could do additional code work. Our extensions = utilize=20 the old API and only get the information as defined in the FindVarMethod = function typedef. After a cursory investigation, it looks like the new = API would=20 provide me with a netsnmp_pdu object which contains the snmp_version = field from=20 which I will know if the request was made using v1, v2c, or v3 protocol. = I could=20 then return an error for the v1 and v2c calls and process the v3 calls. = Is this=20 correct?</FONT></SPAN></DIV> <DIV align=3Dleft><SPAN class=3D382502317-17112005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV align=3Dleft><SPAN class=3D382502317-17112005><FONT face=3DArial = size=3D2>The only=20 question then left is verifying that the v3 request was actually made = with both=20 authentication and encryption. I assume this can be done with users and = views as=20 well, but is there something in the structure that I did not see that = would=20 indicate this information?</FONT></SPAN></DIV> <DIV align=3Dleft><SPAN class=3D382502317-17112005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D382502317-17112005><FONT face=3DArial = size=3D2>Thanks, so very=20 much!</FONT></SPAN></DIV> <DIV align=3Dleft> <DIV><FONT face=3DArial size=3D2><SPAN class=3D382502317-17112005> <DIV align=3Dleft> <DIV align=3Dleft><FONT face=3DArial size=3D2><STRONG>Tim D.=20 Hammer</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D2><STRONG>Software = Developer</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D2>Xerox Corporation</FONT></DIV> <DIV><FONT face=3DArial size=3D2>250 CrossKeys Office Park, M/S=20 0820-03F</FONT></DIV> <DIV><FONT size=3D2><FONT face=3DArial>Fairport, NY 14450<BR>Phone:=20 585/425-6781 Internal: 8*225-6781</FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2>Fax: 585/425-6351</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:Tim.Hammer@xerox.com">Tim.Hammer@xe rox.com</A></FONT></DIV= ><FONT=20 face=3DArial size=3D2></FONT></DIV> <DIV align=3Dleft><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20 size=3D2></FONT> </DIV> <DIV align=3Dleft><FONT face=3DArial = size=3D2><STRONG>XEROX</STRONG></FONT></DIV> <DIV align=3Dleft><FONT face=3DArial size=3D1>Technology. Document = Management.=20 Consulting Services</FONT></DIV> <DIV align=3Dleft><FONT face=3DArial size=3D2></FONT> </DIV> <DIV align=3Dleft><FONT face=3DArial size=3D2><A=20 href=3D"http://www.xerox.com/">www.xerox.com</A></FONT></DIV> <DIV align=3Dleft><FONT face=3DArial size=3D2></FONT> </DIV> <DIV align=3Dcenter><I><FONT face=3D"Arial Black" color=3D#ff0000 = size=3D1>This e-mail=20 message, including any attachments, is for the sole use of the intended=20 recipient(s) and may contain confidential information. Any = unauthorized=20 review, use, disclosure or distribution is prohibited. If you are = not the=20 intended recipient(s) please contact the sender by reply e-mail and = destroy all=20 copies of the original message. Thank=20 you.</FONT></I></DIV></SPAN></FONT></DIV></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C5EBA8.3BD06E39-- ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/...net-snmp-users 
|
Linear Mode
