[erlang-questions] SNMP decryption with SHA auth and DES privacy
Scott Lystig Fritchie
fritchie@REDACTED
Tue Mar 27 08:18:47 CEST 2007
Following up to my own posting with a bit more info, I've discovered
the following things, using 4 users configured in the 4 combinations
of auth + privacy methods.
0. All 4 privacy keys are configured identically: the phrase
"privphrase".
1. I have no problem with MD5 auth + DES privacy.
2. I have no problem with MD5 auth + AES privacy.(*)
3. I have problems with authPriv, using SHA auth + either privacy
method.
4. If I send the wrong passphrase for either MD5 or SHA auth user,
I immediately get an authentication error.
5. If I send the correct passphrase for a SHA auth user + authPriv,
I immediately get a "snmpget: Decryption error" error.
6. The SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 counter is
incremented each time I attempt a
These facts suggest to me that I have configured the SHA
authentication key correctly. Is it possible that I'm wrong?
I've included my snippet from "agent/usm.conf" as well as a trace log
of the net_if doodad.
-Scott
(*) I discovered that the net-snmp package version 5.1 does not
support AES encryption. (Version 5.1 is what's installed on a
CentOS/Red Hat Enterprise Linux 4.x machine.) Net-snmp version 5.4
supports both DES and AES encryption.
--- snip --- snip --- snip --- snip --- snip --- snip --- snip ---
{"enginea0", "test0.w-all", "test0.w-all", zeroDotZero,
usmHMACMD5AuthProtocol, "", "",
usmDESPrivProtocol, "", "", "",
[201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
{"enginea0", "test0.w-all-sha", "test0.w-all-sha", zeroDotZero,
usmHMACSHAAuthProtocol, "", "",
usmDESPrivProtocol, "", "", "",
[112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
{"enginea0", "test0.w-all-md5aes", "test0.w-all-md5aes", zeroDotZero,
usmHMACMD5AuthProtocol, "", "",
usmAesCfb128Protocol, "", "", "",
[201,30,3,40,187,111,176,54,115,130,133,102,206,102,95,204],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
{"enginea0", "test0.w-all-shaaes", "test0.w-all-shaaes", zeroDotZero,
usmHMACSHAAuthProtocol, "", "",
usmAesCfb128Protocol, "", "", "",
[112,106,201,117,200,192,230,137,68,190,22,79,233,209,95,141,121,43,89,119],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]
}.
--- snip --- snip --- snip --- snip --- snip --- snip --- snip ---
(gmt_snmpa_dev@REDACTED)5> *** [2007:03:27 06:10:15 4934] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33999
*** [2007:03:27 06:10:15 4934] SNMP A-NET-IF MPD LOG ***
v3, msgID: 488947328, msgFlags: [7], msgSecModel: 3
*** [2007:03:27 06:10:15 4934] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 488947328
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,60,4,8,101,110,103,105,110,101,97,48,2,1,0,2,1,0,4,18,116,101,115,116,48,46,119,45,97,108,108,45,115,104,97,97,101,115,4,12,52,96,113,137,13,135,131,237,174,30,185,171,4,8,109,235,47,18,194,123,209,147]
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF MPD TRACE ***
SecModule = snmpa_usm
SecLevel = 3
IsReportable = true
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> check security parms: 3.2.1
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:15 4935] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> check engine id: 3.2.3
*** [2007:03:27 06:10:15 4944] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> retrieve usm user: 3.2.4
*** [2007:03:27 06:10:15 4948] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> securityName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:15 4948] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> authenticate incoming: 3.2.5 - 3.2.7
{"enginea0",
"test0.w-all-shaaes",
"test0.w-all-shaaes",
[0,0],
[1,3,6,1,6,3,10,1,1,3],
[],
[],
[1,3,6,1,6,3,10,1,2,4],
[],
[],
[],
3,
1,
[112,
106,
201,
117,
200,
192,
230,
137,
68,
190,
22,
79,
233,
209,
95,
141,
121,
43,
89,
119],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]}
*** [2007:03:27 06:10:15 4949] SNMP A-NET-IF A-USM TRACE ***
authenticate_incoming -> 3.2.6
*** [2007:03:27 06:10:15 4949] SNMP A-NET-IF A-USM TRACE ***
is_auth -> retrieve EngineBoots and EngineTime: 3.2.7
*** [2007:03:27 06:10:15 4959] SNMP A-NET-IF A-USM TRACE ***
is_auth -> SnmpEngineID: "enginea0"
*** [2007:03:27 06:10:15 4959] SNMP A-NET-IF A-USM TRACE ***
is_auth -> we are authoritative: 3.2.7a
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF A-USM TRACE ***
is_auth -> SnmpEngineBoots: 1
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF A-USM INFO ***
NOT in time window:
SecName: "test0.w-all-shaaes"
SnmpEngineBoots: 1
MsgAuthEngineBoots: 0
SnmpEngineTime: 382
MsgAuthEngineTime: 0
*** [2007:03:27 06:10:15 4964] SNMP A-NET-IF MPD TRACE ***
message processing result:
{error,usmStatsNotInTimeWindows,
{{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',12,undefined},
"test0.w-all-shaaes",
[{securityLevel,1}]}}
*** [2007:03:27 06:10:15 4965] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsNotInTimeWindows
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',12,undefined},
"test0.w-all-shaaes",
[{securityLevel,1}]}
*** [2007:03:27 06:10:15 4965] SNMP A-NET-IF MPD TRACE ***
Report ReqId: 0
*** [2007:03:27 06:10:15 4972] SNMP A-NET-IF MPD TRACE ***
generate_response_msg -> SecEngineID: "enginea0"
*** [2007:03:27 06:10:15 4972] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> entry [3.1.1]
*** [2007:03:27 06:10:15 4976] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.4]
*** [2007:03:27 06:10:15 4977] SNMP A-NET-IF A-USM TRACE ***
encrypt -> 3.1.4b
*** [2007:03:27 06:10:15 4992] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> SnmpEngineID: "enginea0" [3.1.6]
*** [2007:03:27 06:10:15 4996] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.5 - 3.1.7]
*** [2007:03:27 06:10:15 4996] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.8]
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF A-USM TRACE ***
authenticate_outgoing -> encode message only
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF LOG TRACE ***
log -> entry with
Log: "snmpa_log"
Addr: {127,0,0,1}
Port: 33999
*** [2007:03:27 06:10:15 4997] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsNotInTimeWindows}
*** [2007:03:27 06:10:16 415] SNMP A-NET-IF TRACE ***
activate once
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF LOG ***
got paket from {127,0,0,1}:33999
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF MPD LOG ***
v3, msgID: 488947329, msgFlags: [7], msgSecModel: 3
*** [2007:03:27 06:10:16 426] SNMP A-NET-IF MPD DEBUG ***
version 3 message header:
msgID = 488947329
msgMaxSize = 65507
msgFlags = [7]
msgSecurityModel = 3
msgSecurityParameters = [48,61,4,8,101,110,103,105,110,101,97,48,2,1,1,2,2,1,126,4,18,116,101,115,116,48,46,119,45,97,108,108,45,115,104,97,97,101,115,4,12,186,201,129,36,5,21,215,85,218,222,122,37,4,8,109,235,47,18,194,123,209,148]
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF MPD TRACE ***
SecModule = snmpa_usm
SecLevel = 3
IsReportable = true
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> check security parms: 3.2.1
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM LOG ***
authEngineID: "enginea0", userName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:16 427] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> check engine id: 3.2.3
*** [2007:03:27 06:10:16 447] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> retrieve usm user: 3.2.4
*** [2007:03:27 06:10:16 452] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> securityName: "test0.w-all-shaaes"
*** [2007:03:27 06:10:16 452] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> authenticate incoming: 3.2.5 - 3.2.7
{"enginea0",
"test0.w-all-shaaes",
"test0.w-all-shaaes",
[0,0],
[1,3,6,1,6,3,10,1,1,3],
[],
[],
[1,3,6,1,6,3,10,1,2,4],
[],
[],
[],
3,
1,
[112,
106,
201,
117,
200,
192,
230,
137,
68,
190,
22,
79,
233,
209,
95,
141,
121,
43,
89,
119],
[177,119,145,118,201,81,4,153,176,177,63,200,186,208,118,129]}
*** [2007:03:27 06:10:16 453] SNMP A-NET-IF A-USM TRACE ***
authenticate_incoming -> 3.2.6
*** [2007:03:27 06:10:16 466] SNMP A-NET-IF A-USM TRACE ***
is_auth -> retrieve EngineBoots and EngineTime: 3.2.7
*** [2007:03:27 06:10:16 478] SNMP A-NET-IF A-USM TRACE ***
is_auth -> SnmpEngineID: "enginea0"
*** [2007:03:27 06:10:16 479] SNMP A-NET-IF A-USM TRACE ***
is_auth -> we are authoritative: 3.2.7a
*** [2007:03:27 06:10:16 491] SNMP A-NET-IF A-USM TRACE ***
is_auth -> SnmpEngineBoots: 1
*** [2007:03:27 06:10:16 491] SNMP A-NET-IF A-USM TRACE ***
process_incoming_msg -> decrypt scoped data: 3.2.8
*** [2007:03:27 06:10:16 492] SNMP A-NET-IF MPD TRACE ***
message processing result:
{error,usmStatsDecryptionErrors,
{{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',7,undefined},
"test0.w-all-shaaes",
[]}}
*** [2007:03:27 06:10:16 492] SNMP A-NET-IF MPD DEBUG ***
security module result when reportable [7.2.6-a]:
Reason: usmStatsDecryptionErrors
ErrorInfo: {{varbind,[1,3,6,1,6,3,15,1,1,6,0],'Counter32',7,undefined},
"test0.w-all-shaaes",
[]}
*** [2007:03:27 06:10:16 493] SNMP A-NET-IF MPD TRACE ***
Report ReqId: 0
*** [2007:03:27 06:10:16 4115] SNMP A-NET-IF MPD TRACE ***
generate_response_msg -> SecEngineID: "enginea0"
*** [2007:03:27 06:10:16 4116] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> entry [3.1.1]
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.4]
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE ***
encrypt -> 3.1.4b
*** [2007:03:27 06:10:16 4118] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> SnmpEngineID: "enginea0" [3.1.6]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.5 - 3.1.7]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE ***
generate_outgoing_msg -> [3.1.8]
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF A-USM TRACE ***
authenticate_outgoing -> encode message only
*** [2007:03:27 06:10:16 4119] SNMP A-NET-IF LOG TRACE ***
log -> entry with
Log: "snmpa_log"
Addr: {127,0,0,1}
Port: 33999
*** [2007:03:27 06:10:16 4120] SNMP A-NET-IF LOG ***
sending report for reason:
{securityError,usmStatsDecryptionErrors}
*** [2007:03:27 06:10:16 4120] SNMP A-NET-IF TRACE ***
activate once
More information about the erlang-questions
mailing list