SSH
Note: Features discussed on this page require Net-SNMP version 5.6 or higher.
The SSH transport, on the server side, is actually just a UNIX named pipe that can be connected to via a sshd subsystem configured in the main SSH server. The pipe location (configurable with the sshtosnmpsocket token in `/etc/snmp/snmp.conf`) is `/var/net-snmp/sshtosnmp`. Packets should be submitted to it via the sshtosnmp application, which also sends the user ID as well when starting the connection. The TSM security model should be used when packets should process it.
The sshtosnmp command knows how to connect to this pipe and talk to it. It should be configured in the OpenSSH sshd configuration file (which is normally `/etc/ssh/sshd_config`) using the following configuration line:
Subsystem snmp /usr/local/bin/sshtosnmp
Attention: | There is a fix path coded to the pipe at `apps/sshtosnmp.c`! Do not change the default sshtosnmpsocket option. |
The sshtosnmp command will need read/write access to the `/var/net-snmp/sshtosnmp` pipe. Although it should be fairly safe to grant access to the average user since it still requires modifications to the ACM settings before the user can perform operations, paranoid administrators may want to make the `/var/net-snmp` directory accessible only by users in a particular group.
Tip: | In the `/etc/snmp/snmp.conf` file use the sshtosnmpsocketperms configure option to set the permissions, owner and group of the created socket. |
Too you have to check the persistant dir access rights for group and other:
sudo chmod g+x,o+x /var/net-snmp sudo chmod g+x,o+x /var/net-snmp/mib_indexes
The SNMP USM access control should be granted to the user "foo" using the
following style of simple `/etc/snmp/snmpd.conf` settings::
rouser -s tsm foo authpriv
Note that "authpriv" is acceptable assuming as SSH protects everything that way (assuming you have a non-insane setup). snmpd has no notion of how SSH has actually protected a packet and thus the snmp agent assumes all packets passed through the SSH transport have been protected at the "authpriv" level.
Required Build Options
You must have added these options when configure was run to make the following work:
--with-security-modules=tsm --with-transports=SSH
Use ssh-keygen(1) to generate an authentication key.
To be able to SSH login without a password you have to install your public key file with:
ssh-copy-id [-i [identity_file]] [user@]machine
Tip: | Read http://wiki.debian.org/ssh#ssh_without_password or https://help.ubuntu.com/community/SSH/OpenSSH/Keys for more info. |
Usage example
My current `~/.snmp/snmp.conf` file contains the following SSH transport settings:
defSecurityModel tsm defSecurityName foo defSecurityLevel authPriv # sshusername foo sshpublickey /home/foo/.ssh/id_rsa.pub sshprivatekey /home/foo/.ssh/id_rsa #FIXME: do not change! sshtosnmpsocket /var/net-snmp/sshtosnmp # sshtosnmpsocketperms MODE [OWNER [GROUP]] sshtosnmpsocketperms 664 foo admin
I added to `/etc/ssh/sshd_config` the following snmp Subsystem line:
# override default of no subsystems Subsystem snmp /home/foo/Workspace/c/net-snmp/apps/sshtosnmp
To test the new SSH TSM configuration, I start the snmpd with:
sudo ./agent/snmpd -mall -Mmibs -f -Le -c /etc/snmp/snmpd.conf --defSecurityModel=tsm -Dssh,tsm,trans ssh:localhost
Then I can do a snmp query with:
./apps/snmpstatus -m all -M mibs -r1 -Dssh,tsm,trans ssh:machine:22
See too TUT:Using_TLS