[erlang-questions] SNMP decryption with SHA auth and DES privacy
Scott Lystig Fritchie
fritchie@REDACTED
Sun Mar 25 06:36:05 CEST 2007
Hi, all. I hope very, very few of you are working on crypto things
this weekend. :-)
I've stumbled upon a problem that appears to be very similar to one
reported in November 2005 by Magnus Fröberg(*). However, my problem
appears to be with SHA authentication and DES privacy on a Linux box
with Erlang/OTP release R11B-3.
I have two entries in usm.conf that are nearly identical (see below).
* MD5 auth + DES privacy for "superuser" works just fine.
* MD5 auth + no privacy for "superuser-sha" works just fine.
* SHA auth + DES privacy for "superuser-sha" gives this very
repeatable error:
"snmpget: Decryption error"
I'm quite puzzled. It looks like Magnus's fix is not-quite-verbatim
applied to R11B-3. I guess I can try experimenting a bit on Sunday,
after a bit of sleep to clear my eyes. I've included a
{net_if, debug} trace of all three operations.
-Scott
(*) http://www.erlang.org/ml-archive/erlang-questions/200511/msg00317.html
--- snip --- snip --- snip --- snip --- snip --- snip ---
%% To reproduce:
snmpget -v 3 -u superuser -a MD5 -A authphrase -e 656e67696e656130 \
-l authPriv -x DES -X privphrase localhost:55161 sysDescr.0
echo ""
sleep 5
snmpget -v 3 -u superuser-sha -a SHA -A shaphrase -e 656e67696e656130 \
-l authNoPriv -x DES -X privphrase localhost:55161 sysDescr.0
echo ""
sleep 5
snmpget -v 3 -u superuser-sha -a SHA -A shaphrase -e 656e67696e656130 \
-l authPriv -x DES -X privphrase localhost:55161 sysDescr.0
%% Output:
SNMPv2-MIB::sysDescr.0 = STRING: You found the description.
SNMPv2-MIB::sysDescr.0 = STRING: You found the description.
snmpget: Decryption error
--- snip --- snip --- snip --- snip --- snip --- snip ---
%% usm.conf entries
%% authphrase, privphrase
{"enginea0", "superuser", "superuser", zeroDotZero,
usmHMACMD5AuthProtocol, "", "",
usmDESPrivProtocol, "", "", "",
[201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
%% shaphrase, privphrase
{"enginea0", "superuser-sha", "superuser-sha", zeroDotZero,
usmHMACSHAAuthProtocol, "", "",
usmDESPrivProtocol, "", "", "",
[112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
--- snip --- snip --- snip --- snip --- snip --- snip ---
*** [2007:03:25 04:16:26 4137] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:26 4154] SNMP A-NET-IF MPD LOG ***
v3, msgID: 302068428, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:26 4154] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 302068428
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,51,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,9,115,117,112,101,114,117,115,101,114,4,12,208,90,139,40,212,188,229,5,174,170,107,38,4,8,0,0,0,1,158,43,145,217]
*** [2007:03:25 04:16:26 4165] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser"
*** [2007:03:25 04:16:26 4176] SNMP A-NET-IF A-USM INFO ***
NOT in time window:
SecName: "superuser"
SnmpEngineBoots: 1
MsgAuthEngineBoots: 0
SnmpEngineTime: 5
MsgAuthEngineTime: 0
*** [2007:03:25 04:16:26 4189] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsNotInTimeWindows
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',1,undefined},
"superuser",
[{securityLevel,1}]}
*** [2007:03:25 04:16:26 4198] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF MPD LOG ***
v3, msgID: 302068429, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:26 4208] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 302068429
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,51,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,5,4,9,115,117,112,101,114,117,115,101,114,4,12,204,112,230,199,103,68,61,31,49,251,137,150,4,8,0,0,0,1,158,43,145,218]
*** [2007:03:25 04:16:26 4209] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser"
*** [2007:03:25 04:16:26 4222] SNMP A-NET-IF MPD LOG ***
contextEngineID: "enginea0", context: ""
*** [2007:03:25 04:16:26 4235] SNMP A-NET-IF MPD DEBUG ***
PDU type: 'get-request'
*** [2007:03:25 04:16:26 4244] SNMP A-NET-IF LOG ***
got pdu
{pdu,'get-request',838136151,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'NULL','NULL',1}]}
*** [2007:03:25 04:16:26 4274] SNMP A-NET-IF LOG ***
reply pdu:
{pdu,'get-response',838136151,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'OCTET STRING',[71,101,109,105,110,105,32,77,111,98,105,108,101,32,84,101,99,104,110,111,108,111,103,105,101,115,32,77,77,83,71,32,83,78,77,80,32,65,103,101,110,116],1}]}
*** [2007:03:25 04:16:26 4282] SNMP A-NET-IF INFO ***
time in agent: 73850 mysec
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
*** [2007:03:25 04:16:31 4451] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF MPD LOG ***
v3, msgID: 1751779636, msgFlags: [5], msgSecModel: 3
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 1751779636
msgMaxSize = 65507
msgFlags = [5]
msgSecurityModel = 3
msgSecurityParameters = [48,47,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,18,222,3,95,162,234,24,13,151,130,210,188,4,0]
*** [2007:03:25 04:16:31 4452] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:31 4460] SNMP A-NET-IF A-USM INFO ***
NOT in time window:
SecName: "superuser-sha"
SnmpEngineBoots: 1
MsgAuthEngineBoots: 0
SnmpEngineTime: 10
MsgAuthEngineTime: 0
*** [2007:03:25 04:16:31 4461] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsNotInTimeWindows
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',2,undefined},
"superuser-sha",
[{securityLevel,1}]}
*** [2007:03:25 04:16:31 4468] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:31 4473] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:31 4473] SNMP A-NET-IF MPD LOG ***
v3, msgID: 1751779637, msgFlags: [5], msgSecModel: 3
*** [2007:03:25 04:16:31 4474] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 1751779637
msgMaxSize = 65507
msgFlags = [5]
msgSecurityModel = 3
msgSecurityParameters = [48,47,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,10,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,214,42,129,241,26,215,5,67,103,122,118,14,4,0]
*** [2007:03:25 04:16:31 4474] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:31 4482] SNMP A-NET-IF MPD LOG ***
contextEngineID: "enginea0", context: ""
*** [2007:03:25 04:16:31 4484] SNMP A-NET-IF MPD DEBUG ***
PDU type: 'get-request'
*** [2007:03:25 04:16:31 4489] SNMP A-NET-IF LOG ***
got pdu
{pdu,'get-request',1825175770,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'NULL','NULL',1}]}
*** [2007:03:25 04:16:31 4497] SNMP A-NET-IF LOG ***
reply pdu:
{pdu,'get-response',1825175770,noError,0,[{varbind,[1,3,6,1,2,1,1,1,0],'OCTET STRING',[71,101,109,105,110,105,32,77,111,98,105,108,101,32,84,101,99,104,110,111,108,111,103,105,101,115,32,77,77,83,71,32,83,78,77,80,32,65,103,101,110,116],1}]}
*** [2007:03:25 04:16:31 4514] SNMP A-NET-IF INFO ***
time in agent: 40380 mysec
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
(gmt_snmpa_dev@REDACTED)1>
*** [2007:03:25 04:16:36 4689] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:36 4689] SNMP A-NET-IF MPD LOG ***
v3, msgID: 113381616, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:36 4690] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 113381616
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,55,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,249,209,249,228,174,228,167,11,152,157,102,91,4,8,0,0,0,1,110,71,1,213]
*** [2007:03:25 04:16:36 4690] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:36 4698] SNMP A-NET-IF A-USM INFO ***
NOT in time window:
SecName: "superuser-sha"
SnmpEngineBoots: 1
MsgAuthEngineBoots: 0
SnmpEngineTime: 15
MsgAuthEngineTime: 0
*** [2007:03:25 04:16:36 4699] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsNotInTimeWindows
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',3,undefined},
"superuser-sha",
[{securityLevel,1}]}
*** [2007:03:25 04:16:36 4707] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsNotInTimeWindows}
*** [2007:03:25 04:16:36 4711] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33978
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF MPD LOG ***
v3, msgID: 113381617, msgFlags: [7], msgSecModel: 3
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 113381617
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,55,4,8,101,110,103,105,110,101,97,48,2,1,1,2,1,15,4,13,115,117,112,101,114,117,115,101,114,45,115,104,97,4,12,107,221,81,164,31,13,51,255,54,251,27,6,4,8,0,0,0,1,110,71,1,214]
*** [2007:03:25 04:16:36 4712] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "superuser-sha"
*** [2007:03:25 04:16:36 4720] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsDecryptionErrors
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',1,undefined},
"superuser-sha",
[]}
*** [2007:03:25 04:16:36 4727] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsDecryptionErrors}
(gmt_snmpa_dev@REDACTED)1>
BREAK: (a)bort (c)ontinue (p)roc info (i)nfo (l)oaded
(v)ersion (k)ill (D)b-tables (d)istribution
More information about the erlang-questions
mailing list