[erlang-questions] Two SNMP questions: SHA auth + authPriv, authenticationFailure trap

Martin Bjorklund mbj@REDACTED
Tue Apr 10 12:44:57 CEST 2007

Scott Lystig Fritchie <fritchie@REDACTED> wrote:
> Greetings -- I've got a couple of SNMP-related questions.
> 1. Does anyone have an Erlang/OTP SNMP agent that can successfully
>    handle the crypto required by 'authPriv' (either DES or AES) when
>    using the SHA authentication method?


However, I did have to do some debugging to get this to work.  The
problem turned out to be that the algorithm to derive the private key
from the password and engine id (localized key) was not the same in
OTP c/w net-snmp (and agent++ which I also tried).  When using SHA,
the private key is the first 16 bytes from the 20 byte sha-digest
key.  OTP always uses the md5-derived key.  The "buggy" code is in

write_agent_snmp_usm_conf2(EngineID, SecType, Passwd) ->
    Secret16 = agent_snmp_mk_secret(md5, Passwd, EngineID),
    Secret20 = agent_snmp_mk_secret(sha, Passwd, EngineID),
    {PrivProt, PrivSecret} = 
	case SecType of
	    minimum ->
		{usmNoPrivProtocol,    ""};
	    {semi, des} ->
		{usmDESPrivProtocol,   Secret16};        <---  !!!
	    {semi, aes} ->
		{usmAesCfb128Protocol, Secret16}         <---- !!!

Note how Secret16 is always used. and it is derived from md5.  The
code should use the first 16 bytes for the SHA entry.

>    If yes, then would you mind sending me a copy of a "usm.conf" entry
>    that works?  (Along with the clear-text passphrases :-)  I'm trying
>    to figure out if my SHA auth failures are due to a configuration
>    problem, an OTP bug, or something else.(*)
> 2. Sorry, this is an SNMPv3 newbie question, but I'm anticipating a
>    probably-going-to-be-asked question from our customer.
>    If my Erlang/OTP SNMP agent receives an SNMPv3 query with a bad
>    user name (a usmStatsUnknownUserNames error) or bad authentication
>    passphrase (a usmStatsWrongDigests error), ...
>    ...  is my app supposed to be sending an authenticationFailure
>    trap?  I have snmpEnableAuthenTraps.0 set to enabled(1), but it
>    isn't clear to me if the authenticationFailure is only for v1 or
>    v2c auth errors or for all auth errors.

Good question.  I would say that it should be sent for these USM
errors.  Is it?


More information about the erlang-questions mailing list