{"id":455211,"date":"2025-04-08T21:00:57","date_gmt":"2025-04-08T21:00:57","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=455211"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=455211","title":{"rendered":"<span>A Quick Guide to Setting Up SNMPv3<\/span>"},"content":{"rendered":"<div><!--[--><!--]--><\/div>\n<div id=\"post-content-body\">\n<div>\n<div class=\"article-formatted-body article-formatted-body article-formatted-body_version-2\">\n<div xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\n<p>Setting up a v3 user on the server-side agent for the default Linux <code>snmpd<\/code> (<code>net-snmp<\/code> package).<br \/> <strong>Out of scope<\/strong>: SNMP traps and read-write (rw) users.<\/p>\n<figure class=\"full-width\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/habrastorage.org\/r\/w1560\/getpro\/habr\/upload_files\/bab\/b9e\/47d\/babb9e47db8c7bfd9e5df1f86d53eb24.png\" width=\"1065\" height=\"174\" data-src=\"https:\/\/habrastorage.org\/getpro\/habr\/upload_files\/bab\/b9e\/47d\/babb9e47db8c7bfd9e5df1f86d53eb24.png\"\/><\/figure>\n<p>SNMP version 3 allows packet transmission in encrypted form, making it safe to transfer telemetry over public networks without the risk of exposing either authentication information (analogous to a community string) or the data stream itself, which is encrypted using a symmetric algorithm with a shared key.<\/p>\n<h3>A Reminder: How v1\/v2c Is Configured<\/h3>\n<p>In SNMP <code>v1<\/code>\/<code>v2c<\/code>, the concept of a <code>community<\/code> is used. This is essentially a passphrase that the agent receives from the client. If the <code>community<\/code> matches access settings (for example, if the client\u2019s IP address is within the allowed range), the agent returns the telemetry. Everything is transmitted in plaintext, including both the <code>community<\/code> string and the requested telemetry.<\/p>\n<p>Example requests in tcpdump (with community <code>comminity_name<\/code>):<\/p>\n<pre><code>tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 20:28:09.382435 IP (tos 0x48, ttl 44, id 25108, offset 0, flags [DF], proto UDP (17), length 74)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(25) R=1193096294  .1.3.6.1.2.1 } }  20:28:09.414940 IP (tos 0x48, ttl 44, id 25112, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096295  .1.3.6.1.2.1.1.1.0 } }  20:28:09.447385 IP (tos 0x48, ttl 44, id 25117, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096296  .1.3.6.1.2.1.1.2.0 } }  20:28:09.479880 IP (tos 0x48, ttl 44, id 25125, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096297  .1.3.6.1.2.1.1.3.0 } }  20:28:09.512357 IP (tos 0x48, ttl 44, id 25128, offset 0, flags [DF], proto UDP (17), length 77) ...<\/code><\/pre>\n<p><strong>NB<\/strong>: In tcpdump here and below, only requests are shown\u2014responses are omitted.<\/p>\n<p>To configure v2 community, add a line to <code>\/etc\/snmp\/snmpd.conf<\/code> with the following syntax:<\/p>\n<pre><code>rocommunity[6] communityname [access] [-V view]<\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li>\n<p><code>6<\/code> (optional) \u2013 enables IPv6 (separate from IPv4)<\/p>\n<\/li>\n<li>\n<p><code>communityname<\/code> \u2013 the name of the community, effectively a shared password<\/p>\n<\/li>\n<li>\n<p><code>access<\/code> (optional) \u2013 access control options: <code>default<\/code>, <code>hostname<\/code>, <code>network\/bits<\/code><\/p>\n<\/li>\n<li>\n<p><code>-V view<\/code> (optional) \u2013 limits visibility to a specific OID subtree (configured separately; out of scope here)<\/p>\n<\/li>\n<\/ul>\n<p>A basic example:<\/p>\n<pre><code>rocommunity  comminity_name rocommunity6 comminity_name<\/code><\/pre>\n<p>This sets up a single read-only community called <code>comminity_name<\/code> for both IPv4 and IPv6 with no additional access restrictions.<\/p>\n<p>That should be enough to understand the basics.<\/p>\n<h3>Authentication in SNMPv3<\/h3>\n<p>Version 3 drops the term <em>community<\/em>. Or rather, it\u2019s been reworked, but the term itself is no longer used. Now there\u2019s encryption for both the stream and the authentication data. What\u2019s used instead?<\/p>\n<ul>\n<li>\n<p>A username<\/p>\n<\/li>\n<li>\n<p>An authentication password<\/p>\n<\/li>\n<li>\n<p>An encryption password<\/p>\n<\/li>\n<\/ul>\n<p>So instead of a familiar \u201clogin\/password\u201d pair, we get a less intuitive \u201clogin\/two passwords\u201d model. Each password also requires an associated algorithm:<\/p>\n<ul>\n<li>\n<p>The authentication password uses a hashing algorithm\u2014traditionally MD5 or SHA (with SHA variants introduced in later versions)<\/p>\n<\/li>\n<li>\n<p>The encryption password uses a symmetric encryption algorithm\u2014traditionally DES or AES (again, later AES variants exist)<\/p>\n<\/li>\n<\/ul>\n<p>A sample <code>v3<\/code> request in tcpdump looks like this:<\/p>\n<pre><code>tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 23:28:39.753314 IP (tos 0x48, ttl 44, id 62294, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=30306933  } } }  23:28:39.785927 IP (tos 0x48, ttl 44, id 62301, offset 0, flags [DF], proto UDP (17), length 171)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]8f_6f_9f_0a_aa_3b_69_8c_02_30_66_48_52_7d_52_2b_9e_b0_a2_84_cc_60_8a_9e_d5_67_30_52_26_88_0e_68_a7_89_5d_df_78_a4_9b_4e_62_dc_f6_54_f8_16_00_02_ba_f7} }  23:28:39.818831 IP (tos 0x48, ttl 44, id 62308, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]f1_46_7e_ec_3a_d4_38_94_69_38_14_73_20_71_de_1a_24_b2_61_56_d9_a2_c3_20_b2_6b_6e_11_5f_23_25_f7_56_ba_09_df_09_82_79_54_ec_22_7a_f5_81_60_52_59_83_65_40_09_ac} }  23:28:39.851664 IP (tos 0x48, ttl 44, id 62310, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]43_30_e9_c9_7c_e2_07_9e_41_74_53_98_51_79_ff_7b_26_51_93_b2_fe_35_db_8e_a4_67_58_87_3e_de_8c_f6_5a_3e_1d_a4_47_d7_3d_f9_c8_b1_ac_2f_d2_48_3a_57_d0_f4_a8_45_9c} }  23:28:39.884478 IP (tos 0x48, ttl 44, id 62316, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]a0_35_d4_83_cb_6a_82_f1_bd_d7_16_58_00_ff_d7_5e_03_3a_01_c8_be_2e_6d_e5_bf_eb_7c_ce_07_12_76_fc_ee_6e_61_dc_18_d3_4b_7e_dd_f7_bc_f1_3e_de_ad_52_a2_2e_22_ea_74} }  ...<\/code><\/pre>\n<p>Note that the username is not encrypted, so be careful not to leak anything unnecessary in transit.<\/p>\n<p>Configuration is a bit more involved. You can\u2019t just drop a pre-written line into the config (with caveats), because authentication data is generated when the user is created. This complicates deployment using common tools like Ansible.<\/p>\n<p>Both the agent and client must share the following (besides the agent hostname):<\/p>\n<ul>\n<li>\n<p>Username<\/p>\n<\/li>\n<li>\n<p>Authentication password (CLI option <code>-a<\/code> for net-snmp)<\/p>\n<\/li>\n<li>\n<p>Authentication algorithm (<code>-A<\/code>)<\/p>\n<\/li>\n<li>\n<p>Encryption password (<code>-x<\/code>)<\/p>\n<\/li>\n<li>\n<p>Encryption algorithm (<code>-X<\/code>)<\/p>\n<\/li>\n<\/ul>\n<p>In addition to the main config <code>\/etc\/snmp\/snmpd.conf<\/code>, there are at least two other files for dynamic user creation and auth data storage:<\/p>\n<ul>\n<li>\n<p><code>\/var\/lib\/snmp\/snmpd.conf<\/code><\/p>\n<\/li>\n<li>\n<p><code>\/usr\/share\/snmp\/snmpd.conf<\/code><\/p>\n<\/li>\n<\/ul>\n<p>The <code>snmpd<\/code> daemon writes the necessary lines on startup. So before creating a user, the process must be stopped. If not, the built-in script will refuse to create a user, since it overwrites one of these files in-memory at startup.<\/p>\n<p>To create a user on the agent, use:<\/p>\n<pre><code>net-snmp-create-v3-user -ro -a 'auth_pass' -A SHA -x 'priv_pass' -X AES user_name<\/code><\/pre>\n<p>This creates a read-only user named <code>user_name<\/code> with:<\/p>\n<ul>\n<li>\n<p><code>auth_pass<\/code> (SHA)<\/p>\n<\/li>\n<li>\n<p><code>priv_pass<\/code> (AES)<\/p>\n<\/li>\n<\/ul>\n<p>The script writes lines to the two mentioned config files:<\/p>\n<ul>\n<li>\n<p><code>\/var\/lib\/snmp\/snmpd.conf<\/code>:<br \/> <code>createUser user_name SHA \"auth_pass\" AES \"priv_pass\"<\/code><\/p>\n<\/li>\n<li>\n<p><code>\/usr\/share\/snmp\/snmpd.conf<\/code>:<br \/> <code>rouser user_name<\/code><\/p>\n<\/li>\n<\/ul>\n<p>But that\u2019s not all. On startup, <code>snmpd<\/code> modifies <code>\/var\/lib\/snmp\/snmpd.conf<\/code>: all <code>createUser<\/code> lines are removed and replaced with something like:<\/p>\n<pre><code>usmUser 1 3 0x80001f888052e226409c42d06300000000 \"user_name\" \"user_name\" NULL .1.3.6.1.6.3.10.1.1.3 0x018a3bb9c17caafed74347e50d918963e37e70d7 .1.3.6.1.6.3.10.1.2.4 0xcfdecd0e1bc6bf08eb7ae90e68bdb414 \"\"<\/code><\/pre>\n<p>The <code>\/usr\/share\/snmp\/snmpd.conf<\/code> file remains unchanged. You can manage these <code>usmUser<\/code> lines with the CLI utility <code>snmpusm<\/code> (see <code>man<\/code>).<\/p>\n<h3>SNMPv3 Security Levels<\/h3>\n<p>Let\u2019s briefly touch on SNMPv3 security levels. Common levels include:<\/p>\n<ul>\n<li>\n<p><code>noAuthNoPriv<\/code> \u2014 no authentication, no encryption<\/p>\n<\/li>\n<li>\n<p><code>authNoPriv<\/code> \u2014 authenticated but unencrypted<\/p>\n<\/li>\n<li>\n<p><code>authPriv<\/code> \u2014 authenticated and encrypted<\/p>\n<\/li>\n<\/ul>\n<p>The first is rarely used; let\u2019s focus on <code>authNoPriv<\/code> and <code>authPriv<\/code>.<\/p>\n<p>Sample <code>tcpdump<\/code> output for <code>authNoPriv<\/code>:<\/p>\n<pre><code>10:50:58.534839 IP (tos 0x48, ttl 44, id 54935, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=1808634162  } } }  10:50:58.567563 IP (tos 0x48, ttl 44, id 54937, offset 0, flags [DF], proto UDP (17), length 162)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=ar } { USM B=10 T=39805 U=\"user_name\" } { ScopedPDU E=_80_00_1f_88_80_52_e2_26_40_9c_42_d0_63_00_00_00_00 C=\"\" { GetNextRequest(25) R=1808634161  .1.3.6.1.2.1 } } }  10:50:58.600457 IP (tos 0x48, ttl 44, id 54945, offset 0, flags [DF], proto UDP (17), length 165)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=ar } { USM B=10 T=39805 U=\"user_name\" } { ScopedPDU E=_80_00_1f_88_80_52_e2_26_40_9c_42_d0_63_00_00_00_00 C=\"\" { GetNextRequest(28) R=1808634163  .1.3.6.1.2.1.1.1.0 } } }  ...<\/code><\/pre>\n<p>And for <code>authPriv<\/code>:<\/p>\n<pre><code>10:51:47.463848 IP (tos 0x48, ttl 44, id 61280, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=1901099838  } } }  10:51:47.496541 IP (tos 0x48, ttl 44, id 61282, offset 0, flags [DF], proto UDP (17), length 172)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=10 T=39854 U=\"user_name\" } { ScopedPDU [!scoped PDU]f2_87_ea_15_87_25_a7_b8_44_b4_38_62_15_86_d4_4e_1a_99_34_9e_6c_4d_6a_39_ea_1c_d7_1c_6e_f6_1f_76_c0_e2_ba_91_4d_8e_d5_9c_e7_06_29_c1_47_6e_a2_9a_2b_5c} }  10:51:47.529402 IP (tos 0x48, ttl 44, id 61290, offset 0, flags [DF], proto UDP (17), length 175)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=10 T=39854 U=\"user_name\" } { ScopedPDU [!scoped PDU]da_e4_d6_48_f1_ea_28_7f_bf_ce_d6_e0_ef_f7_95_06_0c_d7_79_7c_f1_4b_78_75_4f_1a_e2_00_a6_83_d5_e6_c2_82_55_0f_09_a4_7d_f1_e1_f2_a0_64_d3_c3_d7_13_c3_ae_95_8b_db} }  ...<\/code><\/pre>\n<p>You can see that in <code>authNoPriv<\/code>, only the authentication part is encrypted\u2014requested OIDs are visible. In <code>authPriv<\/code>, the entire payload is encrypted, increasing the packet size slightly. While this adds some CPU overhead, it\u2019s negligible today given the speed of symmetric encryption with a shared key.<\/p>\n<h3>Configuring the Client<\/h3>\n<p>You can test whether SNMP is working using the built-in <code>snmpwalk<\/code> tool.<\/p>\n<p>For SNMP <code>v2c<\/code> (<code>community<\/code>-based):<\/p>\n<pre><code>snmpwalk -v 2c -c communityname hostname<\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li>\n<p><code>communityname<\/code> \u2014 the community name<\/p>\n<\/li>\n<li>\n<p><code>hostname<\/code> \u2014 the agent\u2019s hostname<\/p>\n<\/li>\n<\/ul>\n<p>For SNMP <code>v3<\/code> with <code>authPriv<\/code> encryption:<\/p>\n<pre><code>snmpwalk -v 3 -a SHA -A auth_pass -x AES -X priv_pass -l authPriv -u user_name hostname<\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li>\n<p><code>SHA<\/code> \u2014 authentication algorithm<\/p>\n<\/li>\n<li>\n<p><code>auth_pass<\/code> \u2014 authentication password<\/p>\n<\/li>\n<li>\n<p><code>AES<\/code> \u2014 encryption algorithm<\/p>\n<\/li>\n<li>\n<p><code>priv_pass<\/code> \u2014 encryption password<\/p>\n<\/li>\n<li>\n<p><code>authPriv<\/code> \u2014 &#171;authenticated + encrypted&#187; security level<\/p>\n<\/li>\n<li>\n<p><code>user_name<\/code> \u2014 the username<\/p>\n<\/li>\n<li>\n<p><code>hostname<\/code> \u2014 the agent\u2019s hostname<\/p>\n<\/li>\n<\/ul>\n<p>If that works, just fill in the corresponding values in your monitoring software.<\/p>\n<figure class=\"full-width\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/habrastorage.org\/r\/w1560\/getpro\/habr\/upload_files\/ac2\/bdd\/a95\/ac2bdda956e30787346538e3233788dc.png\" alt=\"CC BY-SA, Vadim Rybalko. SNMPv3 Configuration in LibreNMS.\" title=\"CC BY-SA, Vadim Rybalko. SNMPv3 Configuration in LibreNMS.\" width=\"838\" height=\"926\" data-src=\"https:\/\/habrastorage.org\/getpro\/habr\/upload_files\/ac2\/bdd\/a95\/ac2bdda956e30787346538e3233788dc.png\"\/><\/p>\n<div><figcaption>CC BY-SA, Vadim Rybalko. SNMPv3 Configuration in LibreNMS.<\/figcaption><\/div>\n<\/figure>\n<p>If something isn\u2019t working, check firewall rules on both ends. Try running <code>snmpwalk<\/code> from the monitoring host and inspect the traffic with <code>tcpdump<\/code>. Also test SNMP access from the agent host itself, using both the external IP and loopback addresses like <code>127.0.0.1<\/code> or <code>::1<\/code>.<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p><!----><!----><\/div>\n<p><!----><!----><br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habr.com\/ru\/articles\/898914\/\"> https:\/\/habr.com\/ru\/articles\/898914\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div><!--[--><!--]--><\/div>\n<div id=\"post-content-body\">\n<div>\n<div class=\"article-formatted-body article-formatted-body article-formatted-body_version-2\">\n<div xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\n<p>Setting up a v3 user on the server-side agent for the default Linux <code>snmpd<\/code> (<code>net-snmp<\/code> package).<br \/> <strong>Out of scope<\/strong>: SNMP traps and read-write (rw) users.<\/p>\n<figure class=\"full-width\"><\/figure>\n<p>SNMP version 3 allows packet transmission in encrypted form, making it safe to transfer telemetry over public networks without the risk of exposing either authentication information (analogous to a community string) or the data stream itself, which is encrypted using a symmetric algorithm with a shared key.<\/p>\n<h3>A Reminder: How v1\/v2c Is Configured<\/h3>\n<p>In SNMP <code>v1<\/code>\/<code>v2c<\/code>, the concept of a <code>community<\/code> is used. This is essentially a passphrase that the agent receives from the client. If the <code>community<\/code> matches access settings (for example, if the client\u2019s IP address is within the allowed range), the agent returns the telemetry. Everything is transmitted in plaintext, including both the <code>community<\/code> string and the requested telemetry.<\/p>\n<p>Example requests in tcpdump (with community <code>comminity_name<\/code>):<\/p>\n<pre><code>tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 20:28:09.382435 IP (tos 0x48, ttl 44, id 25108, offset 0, flags [DF], proto UDP (17), length 74)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(25) R=1193096294  .1.3.6.1.2.1 } }  20:28:09.414940 IP (tos 0x48, ttl 44, id 25112, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096295  .1.3.6.1.2.1.1.1.0 } }  20:28:09.447385 IP (tos 0x48, ttl 44, id 25117, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096296  .1.3.6.1.2.1.1.2.0 } }  20:28:09.479880 IP (tos 0x48, ttl 44, id 25125, offset 0, flags [DF], proto UDP (17), length 77)     192.158.1.38.46214 &gt; 198.51.100.1.161:  { SNMPv2c C=\"comminity_name\" { GetNextRequest(28) R=1193096297  .1.3.6.1.2.1.1.3.0 } }  20:28:09.512357 IP (tos 0x48, ttl 44, id 25128, offset 0, flags [DF], proto UDP (17), length 77) ...<\/code><\/pre>\n<p><strong>NB<\/strong>: In tcpdump here and below, only requests are shown\u2014responses are omitted.<\/p>\n<p>To configure v2 community, add a line to <code>\/etc\/snmp\/snmpd.conf<\/code> with the following syntax:<\/p>\n<pre><code>rocommunity[6] communityname [access] [-V view]<\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li>\n<p><code>6<\/code> (optional) \u2013 enables IPv6 (separate from IPv4)<\/p>\n<\/li>\n<li>\n<p><code>communityname<\/code> \u2013 the name of the community, effectively a shared password<\/p>\n<\/li>\n<li>\n<p><code>access<\/code> (optional) \u2013 access control options: <code>default<\/code>, <code>hostname<\/code>, <code>network\/bits<\/code><\/p>\n<\/li>\n<li>\n<p><code>-V view<\/code> (optional) \u2013 limits visibility to a specific OID subtree (configured separately; out of scope here)<\/p>\n<\/li>\n<\/ul>\n<p>A basic example:<\/p>\n<pre><code>rocommunity  comminity_name rocommunity6 comminity_name<\/code><\/pre>\n<p>This sets up a single read-only community called <code>comminity_name<\/code> for both IPv4 and IPv6 with no additional access restrictions.<\/p>\n<p>That should be enough to understand the basics.<\/p>\n<h3>Authentication in SNMPv3<\/h3>\n<p>Version 3 drops the term <em>community<\/em>. Or rather, it\u2019s been reworked, but the term itself is no longer used. Now there\u2019s encryption for both the stream and the authentication data. What\u2019s used instead?<\/p>\n<ul>\n<li>\n<p>A username<\/p>\n<\/li>\n<li>\n<p>An authentication password<\/p>\n<\/li>\n<li>\n<p>An encryption password<\/p>\n<\/li>\n<\/ul>\n<p>So instead of a familiar \u201clogin\/password\u201d pair, we get a less intuitive \u201clogin\/two passwords\u201d model. Each password also requires an associated algorithm:<\/p>\n<ul>\n<li>\n<p>The authentication password uses a hashing algorithm\u2014traditionally MD5 or SHA (with SHA variants introduced in later versions)<\/p>\n<\/li>\n<li>\n<p>The encryption password uses a symmetric encryption algorithm\u2014traditionally DES or AES (again, later AES variants exist)<\/p>\n<\/li>\n<\/ul>\n<p>A sample <code>v3<\/code> request in tcpdump looks like this:<\/p>\n<pre><code>tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 23:28:39.753314 IP (tos 0x48, ttl 44, id 62294, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=30306933  } } }  23:28:39.785927 IP (tos 0x48, ttl 44, id 62301, offset 0, flags [DF], proto UDP (17), length 171)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]8f_6f_9f_0a_aa_3b_69_8c_02_30_66_48_52_7d_52_2b_9e_b0_a2_84_cc_60_8a_9e_d5_67_30_52_26_88_0e_68_a7_89_5d_df_78_a4_9b_4e_62_dc_f6_54_f8_16_00_02_ba_f7} }  23:28:39.818831 IP (tos 0x48, ttl 44, id 62308, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]f1_46_7e_ec_3a_d4_38_94_69_38_14_73_20_71_de_1a_24_b2_61_56_d9_a2_c3_20_b2_6b_6e_11_5f_23_25_f7_56_ba_09_df_09_82_79_54_ec_22_7a_f5_81_60_52_59_83_65_40_09_ac} }  23:28:39.851664 IP (tos 0x48, ttl 44, id 62310, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]43_30_e9_c9_7c_e2_07_9e_41_74_53_98_51_79_ff_7b_26_51_93_b2_fe_35_db_8e_a4_67_58_87_3e_de_8c_f6_5a_3e_1d_a4_47_d7_3d_f9_c8_b1_ac_2f_d2_48_3a_57_d0_f4_a8_45_9c} }  23:28:39.884478 IP (tos 0x48, ttl 44, id 62316, offset 0, flags [DF], proto UDP (17), length 174)     192.158.1.38.48116 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=9 T=330 U=\"user_name\" } { ScopedPDU [!scoped PDU]a0_35_d4_83_cb_6a_82_f1_bd_d7_16_58_00_ff_d7_5e_03_3a_01_c8_be_2e_6d_e5_bf_eb_7c_ce_07_12_76_fc_ee_6e_61_dc_18_d3_4b_7e_dd_f7_bc_f1_3e_de_ad_52_a2_2e_22_ea_74} }  ...<\/code><\/pre>\n<p>Note that the username is not encrypted, so be careful not to leak anything unnecessary in transit.<\/p>\n<p>Configuration is a bit more involved. You can\u2019t just drop a pre-written line into the config (with caveats), because authentication data is generated when the user is created. This complicates deployment using common tools like Ansible.<\/p>\n<p>Both the agent and client must share the following (besides the agent hostname):<\/p>\n<ul>\n<li>\n<p>Username<\/p>\n<\/li>\n<li>\n<p>Authentication password (CLI option <code>-a<\/code> for net-snmp)<\/p>\n<\/li>\n<li>\n<p>Authentication algorithm (<code>-A<\/code>)<\/p>\n<\/li>\n<li>\n<p>Encryption password (<code>-x<\/code>)<\/p>\n<\/li>\n<li>\n<p>Encryption algorithm (<code>-X<\/code>)<\/p>\n<\/li>\n<\/ul>\n<p>In addition to the main config <code>\/etc\/snmp\/snmpd.conf<\/code>, there are at least two other files for dynamic user creation and auth data storage:<\/p>\n<ul>\n<li>\n<p><code>\/var\/lib\/snmp\/snmpd.conf<\/code><\/p>\n<\/li>\n<li>\n<p><code>\/usr\/share\/snmp\/snmpd.conf<\/code><\/p>\n<\/li>\n<\/ul>\n<p>The <code>snmpd<\/code> daemon writes the necessary lines on startup. So before creating a user, the process must be stopped. If not, the built-in script will refuse to create a user, since it overwrites one of these files in-memory at startup.<\/p>\n<p>To create a user on the agent, use:<\/p>\n<pre><code>net-snmp-create-v3-user -ro -a 'auth_pass' -A SHA -x 'priv_pass' -X AES user_name<\/code><\/pre>\n<p>This creates a read-only user named <code>user_name<\/code> with:<\/p>\n<ul>\n<li>\n<p><code>auth_pass<\/code> (SHA)<\/p>\n<\/li>\n<li>\n<p><code>priv_pass<\/code> (AES)<\/p>\n<\/li>\n<\/ul>\n<p>The script writes lines to the two mentioned config files:<\/p>\n<ul>\n<li>\n<p><code>\/var\/lib\/snmp\/snmpd.conf<\/code>:<br \/> <code>createUser user_name SHA \"auth_pass\" AES \"priv_pass\"<\/code><\/p>\n<\/li>\n<li>\n<p><code>\/usr\/share\/snmp\/snmpd.conf<\/code>:<br \/> <code>rouser user_name<\/code><\/p>\n<\/li>\n<\/ul>\n<p>But that\u2019s not all. On startup, <code>snmpd<\/code> modifies <code>\/var\/lib\/snmp\/snmpd.conf<\/code>: all <code>createUser<\/code> lines are removed and replaced with something like:<\/p>\n<pre><code>usmUser 1 3 0x80001f888052e226409c42d06300000000 \"user_name\" \"user_name\" NULL .1.3.6.1.6.3.10.1.1.3 0x018a3bb9c17caafed74347e50d918963e37e70d7 .1.3.6.1.6.3.10.1.2.4 0xcfdecd0e1bc6bf08eb7ae90e68bdb414 \"\"<\/code><\/pre>\n<p>The <code>\/usr\/share\/snmp\/snmpd.conf<\/code> file remains unchanged. You can manage these <code>usmUser<\/code> lines with the CLI utility <code>snmpusm<\/code> (see <code>man<\/code>).<\/p>\n<h3>SNMPv3 Security Levels<\/h3>\n<p>Let\u2019s briefly touch on SNMPv3 security levels. Common levels include:<\/p>\n<ul>\n<li>\n<p><code>noAuthNoPriv<\/code> \u2014 no authentication, no encryption<\/p>\n<\/li>\n<li>\n<p><code>authNoPriv<\/code> \u2014 authenticated but unencrypted<\/p>\n<\/li>\n<li>\n<p><code>authPriv<\/code> \u2014 authenticated and encrypted<\/p>\n<\/li>\n<\/ul>\n<p>The first is rarely used; let\u2019s focus on <code>authNoPriv<\/code> and <code>authPriv<\/code>.<\/p>\n<p>Sample <code>tcpdump<\/code> output for <code>authNoPriv<\/code>:<\/p>\n<pre><code>10:50:58.534839 IP (tos 0x48, ttl 44, id 54935, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=1808634162  } } }  10:50:58.567563 IP (tos 0x48, ttl 44, id 54937, offset 0, flags [DF], proto UDP (17), length 162)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=ar } { USM B=10 T=39805 U=\"user_name\" } { ScopedPDU E=_80_00_1f_88_80_52_e2_26_40_9c_42_d0_63_00_00_00_00 C=\"\" { GetNextRequest(25) R=1808634161  .1.3.6.1.2.1 } } }  10:50:58.600457 IP (tos 0x48, ttl 44, id 54945, offset 0, flags [DF], proto UDP (17), length 165)     192.158.1.38.20723 &gt; 198.51.100.1.161:  { SNMPv3 { F=ar } { USM B=10 T=39805 U=\"user_name\" } { ScopedPDU E=_80_00_1f_88_80_52_e2_26_40_9c_42_d0_63_00_00_00_00 C=\"\" { GetNextRequest(28) R=1808634163  .1.3.6.1.2.1.1.1.0 } } }  ...<\/code><\/pre>\n<p>And for <code>authPriv<\/code>:<\/p>\n<pre><code>10:51:47.463848 IP (tos 0x48, ttl 44, id 61280, offset 0, flags [DF], proto UDP (17), length 92)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=r } { USM B=0 T=0 U=\"\" } { ScopedPDU E= C=\"\" { GetRequest(14) R=1901099838  } } }  10:51:47.496541 IP (tos 0x48, ttl 44, id 61282, offset 0, flags [DF], proto UDP (17), length 172)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=10 T=39854 U=\"user_name\" } { ScopedPDU [!scoped PDU]f2_87_ea_15_87_25_a7_b8_44_b4_38_62_15_86_d4_4e_1a_99_34_9e_6c_4d_6a_39_ea_1c_d7_1c_6e_f6_1f_76_c0_e2_ba_91_4d_8e_d5_9c_e7_06_29_c1_47_6e_a2_9a_2b_5c} }  10:51:47.529402 IP (tos 0x48, ttl 44, id 61290, offset 0, flags [DF], proto UDP (17), length 175)     192.158.1.38.54277 &gt; 198.51.100.1.161:  { SNMPv3 { F=apr } { USM B=10 T=39854 U=\"user_name\" } { ScopedPDU [!scoped PDU]da_e4_d6_48_f1_ea_28_7f_bf_ce_d6_e0_ef_f7_95_06_0c_d7_79_7c_f1_4b_78_75_4f_1a_e2_00_a6_83_d5_e6_c2_82_55_0f_09_a4_7d_f1_e1_f2_a0_64_d3_c3_d7_13_c3_ae_95_8b_db} }  ...<\/code><\/pre>\n<p>You can see that in <code>authNoPriv<\/code>, only the authentication part is encrypted\u2014requested OIDs are visible. In <code>authPriv<\/code>, the entire payload is encrypted, increasing the packet size slightly. While this adds some CPU overhead, it\u2019s negligible today given the speed of symmetric encryption with a shared key.<\/p>\n<h3>Configuring the Client<\/h3>\n<p>You can test whether SNMP is working using the built-in <code>snmpwalk<\/code> tool.<\/p>\n<p>For SNMP <code>v2c<\/code> (<code>community<\/code>-based):<\/p>\n<pre><code>snmpwalk -v 2c -c communityname hostname<\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li>\n<p><code>communityname<\/code> \u2014 the community name<\/p>\n<\/li>\n<li>\n<p><code>hostname<\/code> \u2014 the agent\u2019s hostname<\/p>\n<\/li>\n<\/ul>\n<p>For SNMP <code>v3<\/code> with <code>authPriv<\/code> encryption:<\/p>\n<pre><code>snmpwalk -v 3 -a SHA -A<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-455211","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/455211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=455211"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/455211\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=455211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=455211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=455211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}