[prev in list] [next in list] [prev in thread] [next in thread] 

List:       net-snmp-bugs
Subject:    [ net-snmp-Bugs-1427410 ] trapsess SNMPv3 sends wrong engineId
From:       "SourceForge.net" <noreply () sourceforge ! net>
Date:       2006-09-12 17:33:30
Message-ID: E1GNC8Y-0003r0-W3 () sc8-sf-web2 ! sourceforge ! net
[Download RAW message or body]

Bugs item #1427410, was opened at 2006-02-08 11:36
Message generated for change (Comment added) made by dts12
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1427410&group_id=12694

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: agent
Group: traps
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Birgit Arkesteijn (birgita)
Assigned to: Nobody/Anonymous (nobody)
Summary: trapsess SNMPv3 sends wrong engineId

Initial Comment:
I'm running NET-SNMP version 5.3.0.1 on Linux RedHat 7.2.

I'm listening for v3 authentication failure traps (not
informs), generated by the net-snmp engine.
*** snmpd.conf:
authtrapenable 1
trapsess -v 3 -l noAuthNoPriv -u noAuthUser <host>:162

I receive the PDU fine, but I noticed that the trap
doesn't have the correct authoritative engine ID,
engine boots and engine time;
- authoritative engine ID: null (or empty),
- engine boots: 0,
- engine time: 0


>From the snmpd.log, it seems that the engine tries to
find the usm details for user 'noAuthUser' and fails.
(That figures, since I don't set the -e & -Z flags in
snmpd.conf.)

*** snmpd.log:
trace: usm_get_user(): snmpusm.c, 2982:
usm: getting user noAuthUser
trace: usm_get_user_from_list(): snmpusm.c, 2998:
usm: match on user noAuthUser
trace: usm_get_user_from_list(): snmpusm.c, 3004:
usm: no match on engineID ()
trace: usm_rgenerate_out_msg(): snmpusm.c, 1470:
usm: Failed to find engine data.

However, when sending traps in SNMPv3, the engine
should act as an authoritative engine and should
therefor sends its own (!) authoritative engine ID,
engine boots and engine time, and not the usm
parameters of the other party.


The problem gets worse when sending authenticated
traps, because the net-snmp engine cannot find the
user's usm details and fails to send the trap all together.

**** /etc/snmp/snmpd.conf:
authtrapenable 1
trapsess -v 3 -l authNoPriv -u authUser -a MD5 -A
AuthPassword <host>:162

(Please note that I did add user 'authUser' to
/var/net-snmp/snmpd.conf, using the 'createUser'
statement. I can succesfully send SNMPv3 requests.)

Configuring (using snmpusm) the details of 'authUser'
off <host> will not help;

In that case, net-snmp would send the authentication
and timeliness parameters of <host> and not its own.
Therefor the trap would be discarded by <host> as not
being authentic.

Thanks, Birgit

----------------------------------------------------------------------

Comment By: Dave Shield (dts12)
Date: 2006-09-12 18:33

Message:
Logged In: YES 
user_id=88893

Thanks for the bug report!  We've fixed the problem in the
main development tree, so it should be fixed in the 5.4 release
of the net-snmp package.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1427410&group_id=12694

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Net-snmp-bugs mailing list
Net-snmp-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-bugs
[prev in list] [next in list] [prev in thread] [next in thread]