Re: How to deny access from only some hosts usinf vacm

On 07/01/2008, arijit <parijip@yahoo.com> wrote:
> However, snmpd.conf does allow as part of com2sec specification ip address of
> hosts(subnets) from which to allow accesses in addition to the groupname.
> I was wondering, if net-snmp already inplements this, if the other option of
> not allowing access from certain hosts is already there - undocumented!

No.
Mike is quite correct. - it is not possible to implement host-specific SNMPv3
access control.

The community-based host filtering is done at an earlier conceptual stage,
as part of turning the community string into an (internal) security name.

The VACM MIB works with this security name, and does not take any
notice of the source of the request. That's inherent in the design of this
MIB - there's no hook for including such source information.



The only other option would be to use the /etc/hosts.{allow,deny} mechanism,
which can be used to accept/block requests based on their source.
But that would work *purely* on the source - you couldn't reject requests
with one (valid) SNMPv3 user from a given system, while accepting
requests with a different SNMPv3 user.

Dave

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/...net-snmp-users