net-snmp-coders — Discussion of internal project coding (Please use this OR -users, NOT both!)

RE: libnetsnmpagent.so.35: cannot open shared object file: No such file or directory

[Peter M. <pma...@ac...>]

I ran "/usr/local/sbin/snmpd  -v" and that outputted "NET-SNMP version: 5.9.4.pre2"

/usr/sbin/snmpd was preinstalled on my system and I must have gotten the two confused.

I ran "ps -aux | grep snmpd" and confirmed that snmpd is running.

I ran the following to export an example MIB:
"export MIBS=+NET-SNMP-AGENT-MIB"

I ran the following command:
snmpwalk -v 3 -u linuser -l authPriv -a SHA -A linuserpass -x DES -X linprivpass localhost" with the user settings I mentioned in my original post.

Im encountering the following:
"snmpwalk: Timeout"





-----Original Message-----
From: Niels Baggesen <ni...@ba...> 
Sent: Tuesday, July 30, 2024 3:29 PM
To: net...@li...
Subject: Re: libnetsnmpagent.so.35: cannot open shared object file: No such file or directory

Den 30-07-2024 kl. 21:22 skrev Peter Majdalani:
 > It installed into /usr/local/bin

So why are you running /usr/sbin/snmpd and not /usr/local/sbin/snmpd?

How was /usr/sbin/snmpd installed on your system, and without the proper libraries?

 > A solution I tried was to make symbolic links inside the /usr/local/lib for the respective libnetsnmpagent.so.35 that link to their respective .so.40 links

A very bad idea, than will lead to endless problems.

/Niels

--
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba... The purpose of computing is insight, not numbers  --  R W Hamming



_______________________________________________
Net-snmp-coders mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: libnetsnmpagent.so.35: cannot open shared object file: No such file or directory

[Niels B. <ni...@ba...>]

Den 30-07-2024 kl. 21:22 skrev Peter Majdalani:
 > It installed into /usr/local/bin

So why are you running /usr/sbin/snmpd and not /usr/local/sbin/snmpd?

How was /usr/sbin/snmpd installed on your system, and without the proper 
libraries?

 > A solution I tried was to make symbolic links inside the 
/usr/local/lib for the respective libnetsnmpagent.so.35 that link to 
their respective .so.40 links

A very bad idea, than will lead to endless problems.

/Niels

-- 
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

Re: libnetsnmpagent.so.35: cannot open shared object file: No such file or directory

[Niels B. <ni...@ba...>]

Using the defaults, I would expect it to install into 
/usr/local/{sbin,bin} ?

You probably need to rerun ldconfig after doing the install.

/Niels

Den 30-07-2024 kl. 16:03 skrev Peter Majdalani:
> Hi,
> 
> I am currently trying to get net-snmp to work on my Ubuntu 20.04.6 Linux 
> machine.
> 
> I have downloaded net-snmp 5.9.4
> I ran ./configure with all default settings
> I ran `make`, no errors occurred
> I then ran `sudo make install` as root, no errors occurred
> 
> I have the following user settings in the snmpd.conf:
> `rouser linuser priv
>    createUser linuser SHA linuserpass DES linprivpass
> 
>    rw user linadmin priv
>    rw user linadmin SHA linauthpass DES linprivpass`
> 
> When I run the following command:
> 
> `snmpwalk -v 3 -u linuser -l authPriv -a SHA -A linuserpass -x DES -X 
> linprivpass localhost`
> 
> It outputs:
> “snmpwalk: Timeout”
> 
> When I run the following command:
> `/usr/sbin/snmpd`
> 
> It outputs:
> “/usr/sbin/snmpd: error while loading shared libraries: 
> libnetsnmp.so.35: cannot open shared object file: No such file or directory”
> 
> If and when I run the following command:
> `ldd /usr/sbin/snmpd`
> 
> It outputs the following:
> “linux-vdso.so.1 (0x00007ffec37ad000)
> libnetsnmpagent.so.35 => not found
> libnetsnmpmibs.so.35 => not found
> libnetsnmp.so.35 => not found
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f34d86f000)
> /lib64/ld-linux-x86_64.so.2”
> 
> Any ideas on how to fix this?
> 
> 
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

-- 
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

libnetsnmpagent.so.35: cannot open shared object file: No such file or directory

[Peter M. <pma...@ac...>]

Hi,

I am currently trying to get net-snmp to work on my Ubuntu 20.04.6 Linux machine.

I have downloaded net-snmp 5.9.4
I ran ./configure with all default settings
I ran `make`, no errors occurred
I then ran `sudo make install` as root, no errors occurred

I have the following user settings in the snmpd.conf:
`rouser linuser priv
  createUser linuser SHA linuserpass DES linprivpass
  rw user linadmin priv
  rw user linadmin SHA linauthpass DES linprivpass`

When I run the following command:

`snmpwalk -v 3 -u linuser -l authPriv -a SHA -A linuserpass -x DES -X linprivpass localhost`

It outputs:
"snmpwalk: Timeout"

When I run the following command:
`/usr/sbin/snmpd`

It outputs:
"/usr/sbin/snmpd: error while loading shared libraries: libnetsnmp.so.35: cannot open shared object file: No such file or directory"

If and when I run the following command:
`ldd /usr/sbin/snmpd`

It outputs the following:
"linux-vdso.so.1 (0x00007ffec37ad000)
libnetsnmpagent.so.35 => not found
libnetsnmpmibs.so.35 => not found
libnetsnmp.so.35 => not found
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f34d86f000)
/lib64/ld-linux-x86_64.so.2"

Any ideas on how to fix this?

Re: (Previous email had a weird formatting) Custom Mib returning wrong values when Magic number is larger than 255

[Craig S. <cs...@dr...>]

On Fri, 12 Jul 2024 at 08:31, Neeraj Bansal <nee...@gm...> wrote:
> We recompile everything and install no problem, but instead of fixing our problem it caused net-snmp-5.9.3 to not be able to start. The error it gives is: Bad user id, which could be a red herring. example below:
> [root@testboard: /root# /etc/init.d/S59netsnmp restart
> Stopping SNMP daemon: [OK]
> Starting SNMP daemon: Bad user id: snmp
I think it is a red herring, that error is from the -u option.

# /usr/sbin/snmpd -u blah
Bad user id: blah

I know that is not solving your main issue, but its got rid of one thing.

 - Craig



> [root@testboard: /root#
>
> So, we take our patches out and recompile and install, and it works again but still has the 255 custom oid limitation.
>
> A snippet from our header file. Too big to paste it all.
>
> #define  TEMPC                1
> #define  TEMPF                2
> #define   UPTIME_STR             3
> #define   SERIALNUMBER            4
> #define   ALLOFIT               5
> #define   ROOTFSBUILD           6
> #define   KERNELBUILD      7
> #define   OSINFO            8
> ......
> #define PRODUCT_ID 250
> #define RUNSCRIPT 251
> #define TIMER1 252
> #define TIMER2 253
> #define TIMER3 254
> #define TIMER4 255
> #define TIMER5 256 <- This outpts an error because it wraps around and 0 is not defined.
> #define TIMER6 257 <- This outputs TEMPC value instead of TIMER6.
> #define TIMER7 258
> #define TIMER8 259
> #define TIMER9 260
> #define TIMER10 261
>
> #define    EXAMPLETIMETICKS    3333
> #define  EXAMPLEIPADDRESS        4444
> #define   EXAMPLECOUNTER      7777
> #define  EXAMPLEGAUGE            8888
> #define  EXAMPLETRIGGERTRAP      9999
> #define  EXAMPLETRIGGERTRAP2     1000
>
> Notice the example defines above that were provided in the example C header file, those magic numbers would have never worked because of the u_char (8-bit) magic variable limitation.
>
> This is a code snippet from our custom mib C file.
>
> struct variable4 testboard_variables[] = {
>    {ROOTFSBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 1}},
>    {KERNELBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 2}},
>    {OSINFO, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 3}},
>    {PRODUCT_ID, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, etestboard_var, 2, {7, 4}},
>    {UPTIME_STR, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {5, 1}},
>    {SERIALNUMBER, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {5, 2}},
>    {TEMPC, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,1}},
>    {TEMPF, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,2}},
>
> We have poured over the souce code looking for any other instance of u_char magic that we may have missed, but they are only defined in the two files mentioned above.
>
> We need some help with this. What else do we need to do in the 5.9 versions to make the magic number not wrap around to zero after 255 and not crash when we do that?
>
> Thanks,
>
> Neeraj Bansal
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: (Previous email had a weird formatting) Custom Mib returning wrong values when Magic number is larger than 255

[Neeraj B. <nee...@gm...>]

We are still stuck on this issue. We would really like it if someone could
guide us. Is somebody else facing the same issue?

Please let me know if I can provide more information.

Regards,

Neeraj Bansal

On Thu, 11 Jul 2024 at 15:30, Neeraj Bansal <nee...@gm...>
wrote:

> Hello,
>
> Net-SNMP version: 5.9.3
> OS: Plain Vanilla Linux (kernel 6.6.23)
> Hardware: custom ARM board with many sensors
>
> Back in the net-snmp 5.4 days we created a custom mib in c using the
> example found at: netsnmp/agent/mibgroup/example.c
>
> This has worked great with one minor patch that we add to be able to go
> beyhond the 255 custom oid limitation set by a u_char magic. We would
> change that to u_short magic in the two files below, and then when calling
> an oid that has a magic number beyhond 255 it does not wrap to zero and
> start returning wrong vales.
>
> Change all u_char magic; to u_short magic; in the two files below.
> netsnmp/include/netsnmp/agent/snmp_vars.h
> netsnmp/include/netsnmp/agent/var_struct.h
>
> As mentioned our custom patch has worked for many years and many newer
> versions than net-snmp 5.4. Now fast forward to today. We want to upgrade
> our net-snmp to a newer version that supports newer openssl. So we install
> 5.9.3, test our custom mib, and all works as expected including the 255
> limitation. When walking the tree we can observe that when the 255 limit is
> reached it wraps around and outputs from the beginning. So, no problem. We
> just have to add our patches to increase the size of the magic variable
> from u_char (8-bit) to u_short (16-bit) in two files mentioned above.
>
> We recompile everything and install no problem, but instead of fixing our
> problem it caused net-snmp-5.9.3 to not be able to start. The error it
> gives is: Bad user id, which could be a red herring. example below:
> [root@testboard: /root# /etc/init.d/S59netsnmp restart
> Stopping SNMP daemon: [OK]
> Starting SNMP daemon: Bad user id: snmp
> [root@testboard: /root#
>
> So, we take our patches out and recompile and install, and it works again
> but still has the 255 custom oid limitation.
>
> A snippet from our header file. Too big to paste it all.
>
> #define TEMPC 1
> #define TEMPF 2
> #define   UPTIME_STR 3
> #define   SERIALNUMBER 4
> #define   ALLOFIT 5
> #define   ROOTFSBUILD 6
> #define   KERNELBUILD      7
> #define   OSINFO     8
> ......
> #define PRODUCT_ID 250
> #define RUNSCRIPT 251
> #define TIMER1 252
> #define TIMER2 253
> #define TIMER3 254
> #define TIMER4 255
> #define TIMER5 256 <- This outpts an error because it wraps around and 0
> is not defined.
> #define TIMER6 257 <- This outputs TEMPC value instead of TIMER6.
> #define TIMER7 258
> #define TIMER8 259
> #define TIMER9 260
> #define TIMER10 261
>
> #define    EXAMPLETIMETICKS 3333
> #define EXAMPLEIPADDRESS        4444
> #define   EXAMPLECOUNTER 7777
> #define EXAMPLEGAUGE            8888
> #define EXAMPLETRIGGERTRAP      9999
> #define EXAMPLETRIGGERTRAP2     1000
>
> Notice the example defines above that were provided in the example C
> header file, those magic numbers would have never worked because of the
> u_char (8-bit) magic variable limitation.
>
> This is a code snippet from our custom mib C file.
>
> struct variable4 testboard_variables[] = {
>    {ROOTFSBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2,
> {7, 1}},
>    {KERNELBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2,
> {7, 2}},
>    {OSINFO, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 3}},
>    {PRODUCT_ID, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, etestboard_var, 2,
> {7, 4}},
>    {UPTIME_STR, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {5,
> 1}},
>    {SERIALNUMBER, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2,
> {5, 2}},
>    {TEMPC, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,1}},
>    {TEMPF, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,2}},
>
> We have poured over the souce code looking for any other instance of
> u_char magic that we may have missed, but they are only defined in the two
> files mentioned above.
>
> We need some help with this. What else do we need to do in the 5.9
> versions to make the magic number not wrap around to zero after 255 and not
> crash when we do that?
>
> Thanks,
>
> Neeraj Bansal
>

Re: Character set for snmpv3 user auth/priv password

[Wes H. <har...@us...>]

Pushpa Thimmaiah <pus...@gm...> writes:

> I would like to know invalid characters or characters that are not
> allowed for snmpv3 authPhrase and privPhrase.  Does the following
> password valid.

You should be able to put passwords with interesting characters in
quotes if you need them.
-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: Two snmpv3 users with same name and different credentials

[Wes H. <har...@us...>]

Pushpa Thimmaiah <pus...@gm...> writes:

> Could you please confirm net-snmp allows same snmpv3 user with
> different credentials?

No that is not possible.  It actually doesn't have to do with Net-SNMP,
the SNMPv3 protocol alone requires a separate user name if you need
different credentials.

-- 
Wes Hardaker
Please mail all replies to net...@li...

(Previous email had a weird formatting) Custom Mib returning wrong values when Magic number is larger than 255

[Neeraj B. <nee...@gm...>]

Hello,

Net-SNMP version: 5.9.3
OS: Plain Vanilla Linux (kernel 6.6.23)
Hardware: custom ARM board with many sensors

Back in the net-snmp 5.4 days we created a custom mib in c using the
example found at: netsnmp/agent/mibgroup/example.c

This has worked great with one minor patch that we add to be able to go
beyhond the 255 custom oid limitation set by a u_char magic. We would
change that to u_short magic in the two files below, and then when calling
an oid that has a magic number beyhond 255 it does not wrap to zero and
start returning wrong vales.

Change all u_char magic; to u_short magic; in the two files below.
netsnmp/include/netsnmp/agent/snmp_vars.h
netsnmp/include/netsnmp/agent/var_struct.h

As mentioned our custom patch has worked for many years and many newer
versions than net-snmp 5.4. Now fast forward to today. We want to upgrade
our net-snmp to a newer version that supports newer openssl. So we install
5.9.3, test our custom mib, and all works as expected including the 255
limitation. When walking the tree we can observe that when the 255 limit is
reached it wraps around and outputs from the beginning. So, no problem. We
just have to add our patches to increase the size of the magic variable
from u_char (8-bit) to u_short (16-bit) in two files mentioned above.

We recompile everything and install no problem, but instead of fixing our
problem it caused net-snmp-5.9.3 to not be able to start. The error it
gives is: Bad user id, which could be a red herring. example below:
[root@testboard: /root# /etc/init.d/S59netsnmp restart
Stopping SNMP daemon: [OK]
Starting SNMP daemon: Bad user id: snmp
[root@testboard: /root#

So, we take our patches out and recompile and install, and it works again
but still has the 255 custom oid limitation.

A snippet from our header file. Too big to paste it all.

#define TEMPC 1
#define TEMPF 2
#define   UPTIME_STR 3
#define   SERIALNUMBER 4
#define   ALLOFIT 5
#define   ROOTFSBUILD 6
#define   KERNELBUILD      7
#define   OSINFO     8
......
#define PRODUCT_ID 250
#define RUNSCRIPT 251
#define TIMER1 252
#define TIMER2 253
#define TIMER3 254
#define TIMER4 255
#define TIMER5 256 <- This outpts an error because it wraps around and 0 is
not defined.
#define TIMER6 257 <- This outputs TEMPC value instead of TIMER6.
#define TIMER7 258
#define TIMER8 259
#define TIMER9 260
#define TIMER10 261

#define    EXAMPLETIMETICKS 3333
#define EXAMPLEIPADDRESS        4444
#define   EXAMPLECOUNTER 7777
#define EXAMPLEGAUGE            8888
#define EXAMPLETRIGGERTRAP      9999
#define EXAMPLETRIGGERTRAP2     1000

Notice the example defines above that were provided in the example C header
file, those magic numbers would have never worked because of the u_char
(8-bit) magic variable limitation.

This is a code snippet from our custom mib C file.

struct variable4 testboard_variables[] = {
   {ROOTFSBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7,
1}},
   {KERNELBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7,
2}},
   {OSINFO, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 3}},
   {PRODUCT_ID, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, etestboard_var, 2, {7,
4}},
   {UPTIME_STR, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {5,
1}},
   {SERIALNUMBER, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2,
{5, 2}},
   {TEMPC, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,1}},
   {TEMPF, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,2}},

We have poured over the souce code looking for any other instance of u_char
magic that we may have missed, but they are only defined in the two files
mentioned above.

We need some help with this. What else do we need to do in the 5.9 versions
to make the magic number not wrap around to zero after 255 and not crash
when we do that?

Thanks,

Neeraj Bansal

Custom Mib returning wrong values when Magic number is larger than 255

[Neeraj B. <nee...@gm...>]

Hello,

Net-SNMP version: 5.9.3
OS: Plain Vanilla Linux (kernel 6.6.23)
Hardware: custom ARM board with many sensors

Back in the net-snmp 5.4 days we created a custom mib in c using the
example found at: netsnmp/agent/mibgroup/example.c

This has worked great with one minor patch that we add to be able to
go beyhond the 255 custom oid limitation set by a u_char magic. We
would change that to u_short magic in the two files below, and then
when calling an oid that has a magic number beyhond 255 it does not
wrap to zero and start returning wrong vales.

Change all u_char magic; to u_short magic; in the two files below.
netsnmp/include/netsnmp/agent/snmp_vars.h
netsnmp/include/netsnmp/agent/var_struct.h

As mentioned our custom patch has worked for many years and many newer
versions than net-snmp 5.4. Now fast forward to today. We want to
upgrade our net-snmp to a newer version that supports newer openssl.
So we install 5.9.3, test our custom mib, and all works as expected
including the 255 limitation. When walking the tree we can observe
that when the 255 limit is reached it wraps around and outputs from
the beginning. So, no problem. We just have to add our patches to
increase the size of the magic variable from u_char (8-bit) to u_short
(16-bit) in two files mentioned above.

We recompile everything and install no problem, but instead of fixing
our problem it caused net-snmp-5.9.3 to not be able to start. The
error it gives is: Bad user id, which could be a red herring. example
below:
[root@testboard: /root# /etc/init.d/S59netsnmp restart
Stopping SNMP daemon: [OK]
Starting SNMP daemon: Bad user id: snmp
[root@testboard: /root#

So, we take our patches out and recompile and install, and it works
again but still has the 255 custom oid limitation.

A snippet from our header file. Too big to paste it all.

#define  TEMPC                1
#define  TEMPF                2
#define UPTIME_STR              3
#define SERIALNUMBER            4
#define ALLOFIT                5
#define ROOTFSBUILD              6
#define  KERNELBUILD                  7
#define OSINFO                8
......
#define PRODUCT_ID 250
#define RUNSCRIPT 251
#define TIMER1 252
#define TIMER2 253
#define TIMER3 254
#define TIMER4 255
#define TIMER5 256 <- This outpts an error because it wraps around and
0 is not defined.
#define TIMER6 257 <- This outputs TEMPC value instead of TIMER6.
#define TIMER7 258
#define TIMER8 259
#define TIMER9 260
#define TIMER10 261

#define EXAMPLETIMETICKS    3333
#define  EXAMPLEIPADDRESS        4444
#define EXAMPLECOUNTER      7777
#define  EXAMPLEGAUGE            8888
#define  EXAMPLETRIGGERTRAP      9999
#define  EXAMPLETRIGGERTRAP2     1000

Notice the example defines above that were provided in the example C
header file, those magic numbers would have never worked because of
the u_char (8-bit) magic variable limitation.

This is a code snippet from our custom mib C file.

struct variable4 testboard_variables[] = {
    {ROOTFSBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var,
2, {7, 1}},
    {KERNELBUILD, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var,
2, {7, 2}},
    {OSINFO, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {7, 3}},
    {PRODUCT_ID, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, etestboard_var,
2, {7, 4}},
    {UPTIME_STR, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {5, 1}},
    {SERIALNUMBER, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var,
2, {5, 2}},
    {TEMPC, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,1}},
    {TEMPF, ASN_OCTET_STR, NETSNMP_OLDAPI_RONLY, testboard_var, 2, {6,2}},

We have poured over the souce code looking for any other instance of
u_char magic that we may have missed, but they are only defined in the
two files mentioned above.

We need some help with this. What else do we need to do in the 5.9
versions to make the magic number not wrap around to zero after 255
and not crash when we do that?


Best,

Neeraj Bansal

Two snmpv3 users with same name and different credentials

[Pushpa T. <pus...@gm...>]

Hi All,

Could you please confirm net-snmp allows same snmpv3 user with different
credentials?
*Eg:*
*Step1:*  Stop snmptrapd Added following line in
/var/net-snmp/snmptrapd.conf

createUser -e 0x8000xxxx0800b0de03e6d8 p2rc54 MD5 mypassword AES128
mypassword
createUser -e 0x8000xxxx0800b0de03e6d8 p2rc54 SHA512 mypassword AES256
mypassword

*Step 2:* Start snmptrapd

Only one entry in /var/net-snmp/snmptrapd.conf
:~$ sudo cat /var/net-snmp/snmptrapd.conf | grep k2rc
sudo: /etc/sudoers.d is world writable
usmUser 1 3 0x8000xxxx0800b0de03e6d8 "p2rc54" "p2rc54" NULL
.1.3.6.1.6.3.10.1.1.7
0xa1e3c168f53e8e2ca1b90fde5a4b7f6f925bce51379588255461be7f085c9d7eb9a500d3a4c7e9ba8df6491db7xe2bc80b0712d5072a0875b60db52af417583c
.1.3.6.1.4.1.14832.1.4
0xa1e3c168f53e8e2ca1b90fde5a4b7f4f925bce51379288255461be7f085c9d7e ""

Thank you,
Pushpa.T

Net SNMP not processing data

[MOHD R. S. <raf...@gm...>]

Hi,

In TCPDUMP we are receiving packets but Net-SNMP Trap is processing some
of them and dropping some of them.

This scenario is happening for the same SNMP Agent.

SNMP V3 Config:- /etc/snmp/snmptrapd.conf

OS:- RHEL 8
Net-SNMP version:-5.8

Regards
Mohd Rafeeq Siddiquie

Character set for snmpv3 user auth/priv password

[Pushpa T. <pus...@gm...>]

Hi Folks,

I would like to know invalid characters or characters that are not allowed
for snmpv3 authPhrase and privPhrase.
Does the following password valid.

Eg:
snmpv3 user: testing123
Auth type : SHA512
Auth Phrase :  %DJKFHDF@@#$%^HSGHDSHs!@@@@@###@
Priv type :  AES256
Priv Phrase : ())*YGHT$#asdfa*^)()(}}}}}}?????

Thanks,
Pushpa.T

Re: SNMPv3 does not provide any protection against brute force attacks.

[Prankur C. <pra...@gm...>]

Dear Wes,

Thankyou for your input. Indeed I checked it before this post that "-Dusm"
can capture some Unknown user, bad Auth/Priv password.
such logs then can be filtered in the fail2ban.

It also makes sense about what you say regarding setting up a firewall.

Incase someone is wondering about the fail2ban filters and jail, feel free
to check out the fail2ban issue 3767 (
https://github.com/fail2ban/fail2ban/issues/3767)

Cheers

On Fri, Jun 21, 2024 at 4:41 PM Wes Hardaker <har...@us...>
wrote:

> Prankur Chauhan <pra...@gm...> writes:
>
> > Is it possible to identify a malicious IP who is trying multiple times
> > authentication requests with wrong credentials and increase the
> > response time for each subsequent auth request, consequently also lock
> > him/her out for some duration?
> >
> > Do you guys know if snmpd can be configured to work with tools such as
> fail2ban?
>
> A few things:
>
> 1. With the right debugging flags turned on (try -Dusm) you might be
>    able to watch for failures and create a fail2ban hook to provide
>    fail2ban with new jail entries.
>
> 2. But my importantly, you should never ever have an snmp agent (of any
>    kind) connected to the internet without a firewall in front of it that
>    restricts access to only trusted IP addresses.  This generally is true
>    for any SNMP or other management control protocol -- they should be
>    accessible only from internal networks.
>
> --
> Wes Hardaker
> Please mail all replies to net...@li...
>


-- 
Cheers
Prankur

Re: SNMPv3 does not provide any protection against brute force attacks.

[Wes H. <har...@us...>]

Prankur Chauhan <pra...@gm...> writes:

> Is it possible to identify a malicious IP who is trying multiple times
> authentication requests with wrong credentials and increase the
> response time for each subsequent auth request, consequently also lock
> him/her out for some duration?
> 
> Do you guys know if snmpd can be configured to work with tools such as fail2ban?

A few things:

1. With the right debugging flags turned on (try -Dusm) you might be
   able to watch for failures and create a fail2ban hook to provide
   fail2ban with new jail entries.

2. But my importantly, you should never ever have an snmp agent (of any
   kind) connected to the internet without a firewall in front of it that
   restricts access to only trusted IP addresses.  This generally is true
   for any SNMP or other management control protocol -- they should be
   accessible only from internal networks.

-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: libkvm usage on FreeBSD

[Bart V. A. <bva...@ac...>]

On 6/11/24 7:04 AM, Mark Johnston wrote:
> commit 304f8cf7f176920cb689d237f612c9a25cd14e84
> Author: Mark Johnston <ma...@Fr...>
> Date:   Thu Apr 4 16:34:26 2024 -0400
> 
>      snmpd: Always open libkvm in "safe mode" on FreeBSD

This patch has been applied on the V5-9-patches and master branches.
Thanks for the patch!

Bart.

SNMPv3 does not provide any protection against brute force attacks.

[Prankur C. <pra...@gm...>]

Dear SNMP Development Team,

I have identified that the authentication requests are not Rate limited and
there are no lockout policies in the SNMPD (Master Agent).

Is it possible to identify a malicious IP who is trying multiple times
authentication requests with wrong credentials and increase the response
time for each subsequent auth request, consequently also lock him/her out
for some duration?

Do you guys know if snmpd can be configured to work with tools such as
fail2ban?

Your advice/help is much appreciated.

-- 
Cheers
Prankur

Re: libkvm usage on FreeBSD

[Mark J. <ma...@fr...>]

On Mon, Jun 10, 2024 at 03:51:33PM -0700, Bart Van Assche wrote:
> 
> On 6/10/24 13:27, Mark Johnston wrote:
> > Would it be helpful for me to submit a patch?  A few of us have been
> > testing snmpd with my original patch (to tell libkvm not to open
> > /dev/kmem etc.) for a while now with no issues.
> A patch definitely would be welcome.

The patch below implements your suggestion.  That is, init_kmem() gets a
libkvm handle without opening /dev/kmem, no matter whether --with-kmem-usage
or --without-kmem-usage was specified at compile time.

Thinking about this more, users might still want --with-kmem-usage to
cause snmpd to open /dev/kmem, in the case where they have custom MIBs
implementations which require the use of klookup().  With this patch,
it's impossible to use klookup() on FreeBSD.  I believe this is fine for
the code shipped with net-snmp, but it might break some custom 3rd-party
MIBs.  I'm not too concerned about this, as the official FreeBSD
net-snmp package will be compiled with --without-kmem-usage, but perhaps
it still makes sense to leave an escape hatch.

commit 304f8cf7f176920cb689d237f612c9a25cd14e84
Author: Mark Johnston <ma...@Fr...>
Date:   Thu Apr 4 16:34:26 2024 -0400

    snmpd: Always open libkvm in "safe mode" on FreeBSD
    
    By specifying /dev/null as the path to kvm_openfiles(), we can get a
    libkvm descriptor which does not hold /dev/kmem open.  None of the code
    shipped with net-snmp needs a /dev/kmem handle.
    
    Make this change for both the NETSNMP_NO_KMEM_USAGE and
    !NETSNMP_NO_KMEM_USAGE cases, per a suggestion from
    Bart Van Assche <bva...@ac...>.

diff --git a/agent/kernel.c b/agent/kernel.c
index 9a6d22592c..671e5244fc 100644
--- a/agent/kernel.c
+++ b/agent/kernel.c
@@ -44,7 +44,7 @@
 #include "kernel.h"
 #include <net-snmp/agent/ds_agent.h>
 
-#if defined(HAVE_KVM_H) && !defined(NETSNMP_NO_KMEM_USAGE)
+#if defined(HAVE_KVM_H) && !defined(NETSNMP_NO_KMEM_USAGE) && !defined(__FreeBSD__)
 kvm_t *kd;
 
 /**
@@ -130,7 +130,7 @@ free_kmem(void)
     }
 }
 
-#elif defined(HAVE_NLIST_H) && !defined(__linux__) &&   \
+#elif defined(HAVE_NLIST_H) && !defined(__linux__) && !defined(__FreeBSD__) && \
     !defined(NETSNMP_NO_KMEM_USAGE)
 
 static off_t    klseek(off_t);
@@ -252,7 +252,48 @@ free_kmem(void)
         kmem = -1;
     }
 }
+#elif defined(__FreeBSD__)
+kvm_t *kd;
+
+/**
+ * Initialize the libkvm descriptor. On FreeBSD we can use most of libkvm
+ * without requiring /dev/kmem access.  Only kvm_nlist() and kvm_read() need
+ * that, and we don't use them.
+ *
+ * @return TRUE upon success; FALSE upon failure.
+ */
+int
+init_kmem(const char *file)
+{
+    char err[4096];
+
+    kd = kvm_openfiles(NULL, "/dev/null", NULL, O_RDONLY, err);
+    if (!kd) {
+        snmp_log(LOG_CRIT, "init_kmem: kvm_openfiles failed: %s\n", err);
+        return FALSE;
+    }
+    return TRUE;
+}
 
+/**
+ * A stub to return failure to any attempt to read kernel memory.  Our
+ * libkvm handle doesn't enable /dev/kmem access.  MIB implementations should
+ * use unprivileged to fetch information about the system.
+ */
+int
+klookup(unsigned long off, void *target, size_t siz)
+{
+    return 0;
+}
+
+void
+free_kmem(void)
+{
+    if (kd != NULL) {
+        (void)kvm_close(kd);
+        kd = NULL;
+    }
+}
 #else
 int
 init_kmem(const char *file)

Re: libkvm usage on FreeBSD

[Bart V. A. <bva...@ac...>]

On 6/10/24 13:27, Mark Johnston wrote:
> Would it be helpful for me to submit a patch?  A few of us have been
> testing snmpd with my original patch (to tell libkvm not to open
> /dev/kmem etc.) for a while now with no issues.
A patch definitely would be welcome.

Thanks,

Bart.

Re: libkvm usage on FreeBSD

[Mark J. <ma...@fr...>]

On Fri, Apr 12, 2024 at 03:51:51PM -0700, Bart Van Assche wrote:
> On 4/12/24 7:29 AM, Mark Johnston wrote:
> > Do you mean that on FreeBSD we should always perform an unprivileged
> > kvm_openfile() call, no matter whether --without-kmem-usage is
> > specified?
> 
> Yes, that's what I'm proposing. If someone disagrees, please share your
> opinion now.

Hi Bart,

Were you planning to make a change along these lines?  Would it be
helpful for me to submit a patch?  A few of us have been testing snmpd
with my original patch (to tell libkvm not to open /dev/kmem etc.) for a
while now with no issues.

Thanks,
-Mark

Re: AES192 and SHA256 support

[Bill F. <fe...@gm...>]

Hi Michael,

I'm sorry, my system only creates users by adding "usmUser" entries to the
configuration file directly, so I don't know anything about how snmpusm
should work.

  Bill


On Wed, Jun 5, 2024 at 1:09 PM north digitalphenomena.com <
no...@di...> wrote:

>
> Bill,
>
> I have compiled net-snmp (5.9.3) with the "--enable-blumenthal-aes"
> configure
> option, yet when I run any of the commands for creating a user with
> AES-192 or
> AES-256 give me a "Decryption error" (see below). OpenSSL does have the
> 192/256 set of variants for AES showing up in the list with "openssl list
> -cipher-algorithms" --
> Is there something else that needs to be turned on the in net-snmp to make
> this extension operable? (Or OpenSSL (version 3.0.8), for that matter).
>
> Thanks,
>
> Michael North
>
> + awk 'BEGIN {FS=":"} {print $2}'
> + passwd='admin_test_password#9812'
> + '[' '!' -z 'admin_test_password#9812' ]
> + '[' '!' -z authPriv ]
> + '[' '!' -z SHA ]
> + adminAuth=' -l authPriv -a SHA -A admin_test_password#9812'
> + '[' '!' -z AES-256 ]
> + encrypt='-x AES-256 -X admin_test_password#9812'
> + snmpusm -v 3 -u adminextronshaaes256 -n  -l authPriv -a SHA -A
> 'admin_test_password#9812' -x AES-256 -X 'admin_test_password#9812'
> /tmp/xsnmp/snmpagent create danellb adminextronshaaes256
> snmpset: Decryption error
> + status=
>
>
>
> ------------------------------
> *From:* Bill Fenner <fe...@gm...>
> *Sent:* Tuesday, June 4, 2024 11:13 PM
> *To:* sukeerthi bj <suk...@gm...>
> *Cc:* net...@li... <
> net...@li...>
> *Subject:* Re: AES192 and SHA256 support
>
> Hi Sukeerthi,
>
> You're looking at the code that is used when NETSNMP_USE_PKCS11 is
> defined.  The SHA2 hashes such as SHA256 are only available with OpenSSL,
> in which case we use sc_get_openssl_hashfn() to pick the hash function that
> corresponds with the configured hash algorithm.
>
>   Bill
>
>
> On Fri, May 17, 2024 at 7:44 AM sukeerthi bj <suk...@gm...>
> wrote:
>
> Hi,
>
> I see AES192 and SHA256 support in SNMP, but wanted to understand if below
> code is doing right? Here for pcks_generate_ku only CKM_SHA_1 is passed.
> For SHA256 should not CKM_SHA256 be passed here instead?
> Can anyone have a look into this and explain?
>
> #ifndef NETSNMP_DISABLE_MD5
> if (NETSNMP_USMAUTH_HMACMD5 == auth_type)
> return pkcs_generate_Ku(CKM_MD5, P, pplen, Ku, kulen);
> else
> #endif
> if (NETSNMP_USMAUTH_HMACSHA1 == auth_type)
> return pkcs_generate_Ku(CKM_SHA_1, P, pplen, Ku, kulen);
> else {
> return (SNMPERR_GENERR);
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>
>

Re: AES192 and SHA256 support

[Bill F. <fe...@gm...>]

Hi Sukeerthi,

You're looking at the code that is used when NETSNMP_USE_PKCS11 is
defined.  The SHA2 hashes such as SHA256 are only available with OpenSSL,
in which case we use sc_get_openssl_hashfn() to pick the hash function that
corresponds with the configured hash algorithm.

  Bill


On Fri, May 17, 2024 at 7:44 AM sukeerthi bj <suk...@gm...> wrote:

> Hi,
>
> I see AES192 and SHA256 support in SNMP, but wanted to understand if below
> code is doing right? Here for pcks_generate_ku only CKM_SHA_1 is passed.
> For SHA256 should not CKM_SHA256 be passed here instead?
> Can anyone have a look into this and explain?
>
> #ifndef NETSNMP_DISABLE_MD5
> if (NETSNMP_USMAUTH_HMACMD5 == auth_type)
> return pkcs_generate_Ku(CKM_MD5, P, pplen, Ku, kulen);
> else
> #endif
> if (NETSNMP_USMAUTH_HMACSHA1 == auth_type)
> return pkcs_generate_Ku(CKM_SHA_1, P, pplen, Ku, kulen);
> else {
> return (SNMPERR_GENERR);
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>

Re: Getting listening port number while processing request

[Teus B. <teu...@gm...>]

On Wed, 22 May 2024 at 01:58, Bart Van Assche <bva...@ac...> wrote:

> The attached patch in combination with a patch that reduces code
> duplication have been applied. Please retest.
>
> Hello Bart,

That is a nice update to reduce code duplication, and thanks for applying
the patch plus the update.

I've tested the local port number on tcp, tcp6, udp, and udp6, and it works
fine in all four cases. The local port number can correctly be read
from the session object.

We were happy to be able to contribute a little bit.

Teus.

Re: Correct way of stopping snmpd

[Pushpa T. <pus...@gm...>]

Thank you Josef Ridky and Niels Baggesen

On Tue, May 21, 2024 at 10:20 PM Niels Baggesen <ni...@ba...> wrote:

> Den 21-05-2024 kl. 13:34 skrev Niels Baggesen:
>
> > SIGTERM is not kill -9, it is kill -16. kill -9 is SIGKILL
>
> Whoops, minor typo, SIGTERM is 15, not 16. Thanks to jhawk!
>
> /Niels
>
> --
> Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...
> The purpose of computing is insight, not numbers  --  R W Hamming
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
>
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>

Re: Getting listening port number while processing request

[Bart V. A. <bva...@ac...>]

On 5/21/24 5:14 AM, Teus Benschop wrote:
> Thank you for the go-ahead.
> I went ahead and created the patch for the UDP domain.
> In line with the previous patch where you had added support for IPv6, I 
> have added that support to this patch too.
> It was tested and works fine when the snmpd listens on udp, and when it 
> listens on udp6.
> The patch is attached to this email.
> If it could be merged into the source code, we would be so grateful.

The attached patch in combination with a patch that reduces code
duplication have been applied. Please retest.

Thanks,

Bart.