Hi,
I recently set up another host. This time using SNMPv3.
addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host.
via snmpget I get responces to sysUpTime.0 but not to .1, .0, ...
The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user.
Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
Best regards,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 2013-07-18 10:05, Daniel Preussker wrote:
Hi,
I recently set up another host. This time using SNMPv3.
addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host.
via snmpget I get responces to sysUpTime.0 but not to .1, .0, ...
The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user.
Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
SNMPv3. Not even once.
adam.
haha adam,
also I just found 2(maybe more to come?) bugs in addhost.php and discovery/poller/backend(?).
1) Input is not stripped properly in addhost.php If I add a passphrase containing a '$'-char, it's taken as variable in PHP and it will try to substitute it (mostly to a blank string unless you hit an existing (internal) var)
2) Passphrases are chopped! I saw in the discovery debug output that all passphrases are chopped so (ofc) my snmpv3 auth-fails... I'm not sure where this happens though, addhost.php works fine using the entire passphrases...
Best regards,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:08, Adam Armstrong wrote:
On 2013-07-18 10:05, Daniel Preussker wrote:
Hi, I recently set up another host. This time using SNMPv3. addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host. via snmpget I get responces to sysUpTime.0 but not to .1, .0, ... The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user. Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
SNMPv3. Not even once.
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 07/18/2013 10:14 AM, Daniel Preussker wrote:
haha adam,
also I just found 2(maybe more to come?) bugs in addhost.php and discovery/poller/backend(?).
- Input is not stripped properly in addhost.php If I add a passphrase containing a '$'-char, it's taken as variable in PHP and it will try to substitute it (mostly to a blank string unless you hit an existing (internal) var)
I'm pretty sure you're not quoting it, and it gets interpreted by bash before even reaching PHP.
- Passphrases are chopped! I saw in the discovery debug output that all passphrases are chopped so (ofc) my snmpv3 auth-fails... I'm not sure where this happens though, addhost.php works fine using the entire passphrases...
Our DB field is probably too short, which means addhost uses its internal variable everywhere, and that works, but then it doesn't get stored correctly, leading to nonworking poll/disco.
Tom
On 18.07.2013 12:14, Daniel Preussker wrote:
haha adam,
also I just found 2(maybe more to come?) bugs in addhost.php and discovery/poller/backend(?).
You are a genius. But sorry, we do not award the prizes.
- Input is not stripped properly in addhost.php If I add a passphrase containing a '$'-char, it's taken as variable in PHP and it will try to substitute it (mostly to a blank string unless you hit an existing (internal) var)
It's not PHP, it's shell. Use quotes for passwords and keys in command line!
- Passphrases are chopped! I saw in the discovery debug output that all passphrases are chopped so (ofc) my snmpv3 auth-fails... I'm not sure where this happens though, addhost.php works fine using the entire passphrases...
Best regards,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:08, Adam Armstrong wrote:
On 2013-07-18 10:05, Daniel Preussker wrote:
Hi, I recently set up another host. This time using SNMPv3. addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host. via snmpget I get responces to sysUpTime.0 but not to .1, .0, ... The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user. Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
SNMPv3. Not even once.
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Guy if it were the shell, addhost would FAIL. but it SUCCESS - what FAILS is discovery and polling - so it's not the shell (also shell doesnt care about single/strong quoted $....)
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:25, Mike Stupalov wrote:
On 18.07.2013 12:14, Daniel Preussker wrote:
haha adam,
also I just found 2(maybe more to come?) bugs in addhost.php and discovery/poller/backend(?).
You are a genius. But sorry, we do not award the prizes.
- Input is not stripped properly in addhost.php If I add a passphrase containing a '$'-char, it's taken as variable in PHP and it will try to substitute it (mostly to a blank string unless you hit an existing (internal) var)
It's not PHP, it's shell. Use quotes for passwords and keys in command line!
- Passphrases are chopped! I saw in the discovery debug output that all passphrases are chopped so (ofc) my snmpv3 auth-fails... I'm not sure where this happens though, addhost.php works fine using the entire passphrases...
Best regards,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:08, Adam Armstrong wrote:
On 2013-07-18 10:05, Daniel Preussker wrote:
Hi, I recently set up another host. This time using SNMPv3. addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host. via snmpget I get responces to sysUpTime.0 but not to .1, .0, ... The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user. Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
SNMPv3. Not even once.
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
-- Mike Stupalov
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 18.07.2013 12:05, Daniel Preussker wrote:
Hi,
I recently set up another host. This time using SNMPv3.
addhost.php worked fine and both Auth and Priv passed. discovery.php can't discover the host. poller.php can't poll the host.
Pastebin (or attach) debug output for discovery
./discovery.php -d -h <yourhost>
and write command how you add host (replace key and password with asterisk if need).
via snmpget I get responces to sysUpTime.0 but not to .1, .0, ...
The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user.
Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
I have snmp3 only setup, all works fine :)
Best regards,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
via snmpget I get responces to sysUpTime.0 but not to .1, .0, ...
The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user.
Is this known? Is there a way around? Is there any example of a working snmpv3-only setup?
I have snmp3 only setup, all works fine :)
Crazy fucking Russians :)
adam.
Okay Mystery solved!
SNMPv3 works great, just had to chop the passphrases like observium did.
Adam, do you mind checking what's chopping the passphrases? It happens at the Auth and Priv passphrase, both are chopped to 65 chars sharp.
Thanks a lot,
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:15, Adam Armstrong wrote:
via snmpget I get responces to sysUpTime.0 but not to .1, .0, ... The snmpd.conf should grand the user full Readonly rights as I didn't specify any SubID to the user. Is this known? Is there a way around? Is there any example of a working snmpv3-only setup? I have snmp3 only setup, all works fine :)
Crazy fucking Russians :)
adam. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 2013-07-18 10:20, Daniel Preussker wrote:
Okay Mystery solved!
SNMPv3 works great, just had to chop the passphrases like observium did.
Adam, do you mind checking what's chopping the passphrases? It happens at the Auth and Priv passphrase, both are chopped to 65 chars sharp.
http://alpha.memetic.org/~adama/snaps/9pu96ipk36.png
:D
Allright, so no big deal widen up the pwd then :)
Would the update-mech fail if I alter the table and resize the passphrase-fields?
Daniel Preussker
[ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@Preussker.Net [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
On 18.07.2013, at 10:33, Adam Armstrong wrote:
On 2013-07-18 10:20, Daniel Preussker wrote:
Okay Mystery solved! SNMPv3 works great, just had to chop the passphrases like observium did. Adam, do you mind checking what's chopping the passphrases? It happens at the Auth and Priv passphrase, both are chopped to 65 chars sharp.
http://alpha.memetic.org/~adama/snaps/9pu96ipk36.png
:D _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 18.07.2013 12:33, Adam Armstrong wrote:
On 2013-07-18 10:20, Daniel Preussker wrote:
Okay Mystery solved!
SNMPv3 works great, just had to chop the passphrases like observium did.
Adam, do you mind checking what's chopping the passphrases? It happens at the Auth and Priv passphrase, both are chopped to 65 chars sharp.
http://alpha.memetic.org/~adama/snaps/9pu96ipk36.png
:D
and net-snmp use max len for passwords - 10 chars:
#define USM_AUTH_PROTO_NOAUTH_LEN 10 #define USM_AUTH_PROTO_MD5_LEN 10 #define USM_AUTH_PROTO_SHA_LEN 10 #define USM_PRIV_PROTO_NOPRIV_LEN 10 #define USM_PRIV_PROTO_DES_LEN 10 #define USM_PRIV_PROTO_AES_LEN 10 #define USM_PRIV_PROTO_AES128_LEN 10 /* backwards compat */
(from net-snmp/include/net-snmp/library/transform_oids.h)
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (4)
-
Adam Armstrong -
Daniel Preussker -
Mike Stupalov -
Tom Laermans