|
Packit |
fcad23 |
This version of net-snmp supports an experimental SNMPv3 security model
|
|
Packit |
fcad23 |
using Kerberos 5 for authentication. The protocol is described in an
|
|
Packit |
fcad23 |
up-and-coming IETF Internet-Draft.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This document describes a brief overview of the Kerberos Security Model
|
|
Packit |
fcad23 |
and how to use it.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
DESCRIPTION:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The Kerberos Security Model does not use USM; it is completely seperate
|
|
Packit |
fcad23 |
and is not tied to USM in any way. It works by placing the following
|
|
Packit |
fcad23 |
ASN.1 sequence inside of the SNMPv3 msgSecurityParameters:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ksmSecurityParameters ::= SEQUENCE {
|
|
Packit |
fcad23 |
-- The Kerberos 5 checksum type used to checksum this message
|
|
Packit |
fcad23 |
ksmChecksumType INTEGER(0..2147483647),
|
|
Packit |
fcad23 |
-- The actual keyed checksum data returned by Kerberos
|
|
Packit |
fcad23 |
ksmChecksum OCTET STRING,
|
|
Packit |
fcad23 |
-- The Kerberos 5 message (either an AP_REQ or AP_REP)
|
|
Packit |
fcad23 |
ksmKerberosMsg OCTET STRING,
|
|
Packit |
fcad23 |
-- The cached ticket identifier
|
|
Packit |
fcad23 |
ksmCachedTicket INTEGER(0..2147483647)
|
|
Packit |
fcad23 |
}
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note that the whole SEQUENCE is BER encoded as an OCTET STRING.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ksmChecksumType is an integer which corresponded to the checksum algorithm
|
|
Packit |
fcad23 |
used to secure this message as defined by Kerberos (see section 8.3 of
|
|
Packit |
fcad23 |
RFC1510).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ksmChecksum is the output of the checksum algoritm defined by ksmChecksumtype
|
|
Packit |
fcad23 |
(with all NULs in the space for the checksum).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ksmKerberosMsg is a Kerberos 5 AP_REQ or AP_REP message, depending on
|
|
Packit |
fcad23 |
whether or not it is a request or a response (AP_REQ for requests, AP_REP
|
|
Packit |
fcad23 |
for responses).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
ksmCachedTicket is a integer which uniquely identifies a ticked already
|
|
Packit |
fcad23 |
cached on the agent to save the overhead of transferring a whole AP_REQ/AP_REP.
|
|
Packit |
fcad23 |
If there is no such cached ticket, it is left at zero.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
An agent, upon receiving a message using the KSM, will decode the AP_REQ
|
|
Packit |
fcad23 |
contained within the security parameters and thus validate the client's
|
|
Packit |
fcad23 |
identity. Using the subkey contained within the AP_REQ, the agent will
|
|
Packit |
fcad23 |
validate the checksum (after first clearing the checksum bytes to zero),
|
|
Packit |
fcad23 |
and issue a response, encoding the appropriate AP_REP message in the
|
|
Packit |
fcad23 |
ksmSecurityParameters.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If the securityLevel of the message is set to AuthPriv, the scopedPdu
|
|
Packit |
fcad23 |
payload will be encrypted using the encryption key and algorithm of the
|
|
Packit |
fcad23 |
AP_REQ subkey. Note that in this case, the msgData will be a BER-encoded
|
|
Packit |
fcad23 |
OCTET STRING corresponding to the "cipher" element of the EncryptedData
|
|
Packit |
fcad23 |
sequence defined in RFC 1510, section 6.1.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Since this security model is experimental, the number assigned to this
|
|
Packit |
fcad23 |
security model is taken from the recommendations of RFC 2271, section 5,
|
|
Packit |
fcad23 |
which specify enterprise-specific Security Models of the form:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpSecurityModel = enterpriseID * 256 + security model number
|
|
Packit |
fcad23 |
in that enterprise ID;
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
In the case of KSM this gives us:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
SnmpSecurityModel = 8072 * 256 + 0 = 2066432
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
USAGE:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To actually USE the Kerberos Security Model, do the following:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
0) Install Kerberos
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Let it be stated up front - Installing Kerberos completely "cold", without
|
|
Packit |
fcad23 |
any Kerberos experience at all, can be daunting (to say the least). If you
|
|
Packit |
fcad23 |
already have a Kerberos infrastructure at your site, then all of the hard
|
|
Packit |
fcad23 |
work has been done. If you do NOT, but you still want to tackle it,
|
|
Packit |
fcad23 |
you might be interested in the Kerberos FAQ, which can be found at:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Currently the code in net-snmp only supports using MIT Kerberos
|
|
Packit |
fcad23 |
libraries to link against (you should be able to use any kind of Kerberos
|
|
Packit |
fcad23 |
server, however).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
1) Compile net-snmp with Kerberos.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
This assumes that you already have Kerberos libraries in place.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Configure net-snmp to include the Kerberos Security Model (ksm) and
|
|
Packit |
fcad23 |
use --with-cflags and --with-ldflags to specify the location and names
|
|
Packit |
fcad23 |
of Kerberos header files and libraries. For example, on my system I
|
|
Packit |
fcad23 |
run:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
./configure --with-cflags='-I/usr/krb5/include' \
|
|
Packit |
fcad23 |
--with-ldflags='-L/usr/krb5/lib -lkrb5 -lcrypto -lcom_err -R/usr/krb5/lib'
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note that this is on Solaris, and that -R is required to set the correct
|
|
Packit |
fcad23 |
shared library path. If you have a newer version of Kerberos, you might
|
|
Packit |
fcad23 |
instead have to use:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-lkrb5 -lk5crypto -lcom_err
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
as the libraries to link against. If you get errors (for example, you
|
|
Packit |
fcad23 |
get a message that says the compiler isn't working) you can check
|
|
Packit |
fcad23 |
config.log for the output of the compiler.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
2) Configure Kerberos and SNMP
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Currently, net-snmp uses the "host" principal assigned to a host. This
|
|
Packit |
fcad23 |
may change in the future. You will want to create host principals of
|
|
Packit |
fcad23 |
the form:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
host/f.q.d.n@YOUR.REALM
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
For example:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
host/mydesktop.example.org@EXAMPLE.ORG
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
and place the encryption keys for these principals on every machine you
|
|
Packit |
fcad23 |
wish to run a SNMP agent (you place each key on it's corresponding machine).
|
|
Packit |
fcad23 |
Your Kerberos documentation should explain how to do this (in the case
|
|
Packit |
fcad23 |
of MIT Kerberos, you want to look at the "ktadd" command inside of
|
|
Packit |
fcad23 |
kadmin).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If you have a Kerberos infrastructure, you likely already have these
|
|
Packit |
fcad23 |
principals in place on your systems.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If you're installing Kerberos for the first time as well, you also
|
|
Packit |
fcad23 |
need to create client principals corresponding to your userid. See
|
|
Packit |
fcad23 |
your Kerberos documentation.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
On the SNMP _agent_ side, you'll want to place in your snmpd.conf file
|
|
Packit |
fcad23 |
(the one that lives in /usr/local/share/snmp/snmpd.conf, or whereever
|
|
Packit |
fcad23 |
you have configured on your system):
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
rwuser -s ksm userid@YOUR.REALM
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
to allow the Kerberos principal 'userid@YOUR.REALM' read/write access to
|
|
Packit |
fcad23 |
the MIB tree.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
3) Run the agent and client applications
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note that before you do any of this, you will have to have valid Kerberos
|
|
Packit |
fcad23 |
credentials (generally acquired with the "kinit" program).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The agent should run without any additional flags.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
You should run the client apps with the following flags:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
-Y defSecurityModel=ksm
|
|
Packit |
fcad23 |
-v 3
|
|
Packit |
fcad23 |
-u username
|
|
Packit |
fcad23 |
-l authNoPriv
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
for example:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpget -v 3 -Y defSecurityModel=ksm -u myname -l authNoPriv testhost \
|
|
Packit |
fcad23 |
system.sysDescr.0
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If you wish to encrypt the payload, change the -l argument to "authPriv".
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
If you run into problems, you can add the -Dksm flag to both the manager
|
|
Packit |
fcad23 |
applications and the agent to get more detailed Kerberos error messages.
|
|
Packit |
fcad23 |
Note that this setup assumes a working Kerberos infrastructure; if you
|
|
Packit |
fcad23 |
run into problems, check to make sure Kerberos is working for you.
|