[AGENT++] SNMP++ v3 queries with duplicate security names
Jochen Katz
katz at agentpp.com
Thu Mar 24 20:57:05 CET 2011
Hi,
> When using SNMP v3 I can see a potential problem if the user enters
> credentials with the same security name but different security parameters.
> For example:
>
> ip range: 172.17.28.*
> username: bob
> authentication: None
> privacy: None
>
> ip range: 172.17.29.*
> Username: bob
> authentication: MD5, Key XXXXXXX
> privacy: DES, Key XXXXX
does the user really enter the keys? Most likely he enters the passwords.
For the example above, there is no problem. If you add bob with auth and
priv password, you can use bob for the first IP range as noAuthNoPriv
user and for the second as authPriv.
But if the first bob user would have different passwords, then you have
a problem.
> Since the code uses a single global USM keyed by name these are going to
> clash aren't they? Only one of these entries will exist in the USM at any
> one time
All of the above only applies if you want to use automatic engine id
discovery (if you use the add_usm_user() functions with passwords and
without engine id).
If you only add localized users to the USM, it will work.
The functions you need are v3MP::get_from_engine_id_table() and
Snmp::engine_id_discovery()
Before contacting an agent, use get_from_engine_id_table() to check if
the engine id is known. If it is not known, discover it using
engine_id_discovery(). Then you can add a localized entry to the usm.
> Is my understand correct here? If so, is there any way to allow multiple
> security names in the USM and then get SNMP++ to pick the right one somehow
> - for example, using the agent IP address as well as the security name?
There is no possibility in snmp++ to bind user names to an ip address.
Regards,
Jochen
More information about the AGENTPP
mailing list