From Net-SNMP Wiki
Jump to: navigation, search
Requires Net-SNMP 5.6

Note: Features discussed on this page require Net-SNMP version 5.6 or higher.

The SSH transport, on the server side, is actually just a UNIX named pipe that can be connected to via a sshd subsystem configured in the main SSH server. The pipe location (configurable with the sshtosnmpsocket token in `/etc/snmp/snmp.conf`) is `/var/net-snmp/sshtosnmp`. Packets should be submitted to it via the sshtosnmp application, which also sends the user ID as well when starting the connection. The TSM security model should be used when packets should process it.

The sshtosnmp command knows how to connect to this pipe and talk to it. It should be configured in the OpenSSH sshd configuration file (which is normally `/etc/ssh/sshd_config`) using the following configuration line:

   Subsystem snmp /usr/local/bin/sshtosnmp
Attention: There is a fix path coded to the pipe at `apps/sshtosnmp.c`! Do not change the default sshtosnmpsocket option.

The sshtosnmp command will need read/write access to the `/var/net-snmp/sshtosnmp` pipe. Although it should be fairly safe to grant access to the average user since it still requires modifications to the ACM settings before the user can perform operations, paranoid administrators may want to make the `/var/net-snmp` directory accessible only by users in a particular group.

Tip: In the `/etc/snmp/snmp.conf` file use the sshtosnmpsocketperms configure option to set the permissions, owner and group of the created socket.

Too you have to check the persistant dir access rights for group and other:

   sudo chmod g+x,o+x /var/net-snmp
   sudo chmod g+x,o+x /var/net-snmp/mib_indexes

The SNMP USM access control should be granted to the user "foo" using the following style of simple `/etc/snmp/snmpd.conf` settings::

   rouser -s tsm foo authpriv

Note that "authpriv" is acceptable assuming as SSH protects everything that way (assuming you have a non-insane setup). snmpd has no notion of how SSH has actually protected a packet and thus the snmp agent assumes all packets passed through the SSH transport have been protected at the "authpriv" level.

Required Build Options

You must have added these options when configure was run to make the following work:

   --with-security-modules=tsm --with-transports=SSH

Use ssh-keygen(1) to generate an authentication key.

To be able to SSH login without a password you have to install your public key file with:

   ssh-copy-id [-i [identity_file]] [user@]machine

Tip: Read
or for more info.

Usage example

My current `~/.snmp/snmp.conf` file contains the following SSH transport settings:

   defSecurityModel tsm
   defSecurityName  foo
   defSecurityLevel authPriv
   sshusername   foo
   sshpublickey  /home/foo/.ssh/
   sshprivatekey /home/foo/.ssh/id_rsa
   #FIXME: do not change! sshtosnmpsocket   /var/net-snmp/sshtosnmp
   # sshtosnmpsocketperms MODE [OWNER [GROUP]]
   sshtosnmpsocketperms 664 foo admin

I added to `/etc/ssh/sshd_config` the following snmp Subsystem line:

   # override default of no subsystems
   Subsystem	snmp	/home/foo/Workspace/c/net-snmp/apps/sshtosnmp

To test the new SSH TSM configuration, I start the snmpd with:

   sudo ./agent/snmpd -mall -Mmibs -f -Le -c /etc/snmp/snmpd.conf --defSecurityModel=tsm -Dssh,tsm,trans ssh:localhost

Then I can do a snmp query with:

   ./apps/snmpstatus -m all -M mibs -r1 -Dssh,tsm,trans ssh:machine:22

See too TUT:Using_TLS