SSH

From Net-SNMP Wiki
Revision as of 17:26, 5 August 2011 by ClausKlein (Talk | contribs) (initial version)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The SSH transport, on the server side, is actually just a UNIX named pipe that can be connected to via a sshd subsystem configured in the main SSH server. The pipe location (configurable with the sshtosnmpsocket token in `/etc/snmp/snmp.conf`) is `/var/net-snmp/sshtosnmp`. Packets should be submitted to it via the sshtosnmp application, which also sends the user ID as well when starting the connection. The TSM security model should be used when packets should process it.

The sshtosnmp command knows how to connect to this pipe and talk to it. It should be configured in the OpenSSH sshd configuration file (which is normally `/etc/ssh/sshd_config`) using the following configuration line:: 

   Subsystem snmp /usr/local/bin/sshtosnmp

.. Error:: Fix path to the pipe at `apps/sshtosnmp.c` code! 

           Do not change the default sshtosnmpsocket option.

The sshtosnmp command will need read/write access to the `/var/net-snmp/sshtosnmp` pipe. Although it should be fairly safe to grant access to the average user since it still requires modifications to the ACM settings before the user can perform operations, paranoid administrators may want to make the `/var/net-snmp` directory accessible only by users in a particular group.

.. Tip:: In the `/etc/snmp/snmp.conf` file use the sshtosnmpsocketperms 

   configure option to set the permissions, owner and group of the created socket.

Too you have to check the persistant dir access rights for group and other:: 

   sudo chmod g+x,o+x /var/net-snmp
   sudo chmod g+x,o+x /var/net-snmp/mib_indexes


The SNMP USM access control should be granted to the user "foo" using the following style of simple `/etc/snmp/snmpd.conf` settings:: 

   rouser -s tsm foo authpriv

.. Note:: that "authpriv" is acceptable assuming as SSH protects everything 

   that way (assuming you have a non-insane setup). snmpd has no notion of how SSH
   has actually protected a packet and thus the snmp agent assumes all packets
   passed through the SSH transport have been protected at the "authpriv" level.


Required Build Options

You must have added these options when configure was run to make the following work:: 

   --with-security-modules=tsm --with-transports=SSH


Use ssh-keygen(1) to generate an authentication key.

To be able to SSH login without a password you have to install your public key file with:: 

   ssh-copy-id [-i [identity_file]] [user@]machine

.. Tip:: Read http://wiki.debian.org/ssh#ssh_without_password for more info.


Usage example

My current `~/.snmp/snmp.conf` file contains the following SSH transport settings:: 

   defSecurityModel tsm
   defSecurityName  foo
   defSecurityLevel authPriv
   #
   sshusername   foo
   sshpublickey  /home/foo/.ssh/id_rsa.pub
   sshprivatekey /home/foo/.ssh/id_rsa
   #FIXME: do not change! sshtosnmpsocket   /var/net-snmp/sshtosnmp
   # sshtosnmpsocketperms MODE [OWNER [GROUP]]
   sshtosnmpsocketperms 664 foo admin


I added to `/etc/ssh/sshd_config` the following snmp Subsystem line:: 

   # override default of no subsystems
   Subsystem	sftp	/usr/libexec/sftp-server
   Subsystem	snmp	/home/foo/Workspace/c/net-snmp/apps/sshtosnmp


To test the new SSH TSM configuration, I start the snmpd with:: 

   sudo ./agent/snmpd -mall -Mmibs -f -Le -c /etc/snmp/snmpd.conf --defSecurityModel=tsm -Dssh,tsm,trans ssh:localhost


Then I can do a snmp query with:: 

   ./apps/snmpstatus -m all -M mibs -r1 -Dssh,tsm,trans ssh:machine:22
Retrieved from "http://www.net-snmp.org/wiki/index.php?title=SSH&oldid=5288"