SNMP v3?

[perldork]

Hi,

Anyone working on adding SNMP v3 support to Cacti? I understand that I can write a custom script that will do SNMP v3 myself for now .. just curious if anyone knows if this is a feature that will be added to Cacti's built-in SNMP client anytime soon .. if not, I could take a crack at it .. or does the php-snmp module not support SNMP v3 yet?

[TheWitness]

Yes php does. Unfortunately, we have not been focusing on SNMP v3. Could you please provide user interface design information for us to help with the design?

I know that the following may be required:

UserID, Password, Passphrase, ????

Then, in addition to the above, could you please research the php.net website for documentation and provide sample code for producing a snmpv3 call. If you can do that much, I can program the rest.

TheWitness

[perldork]

Be glad to help if I can.

In addition to UserID

* engineId (optional)
* contextName (optional)
* Authentication passphrase - password
* Privacy passphrase - (for using encrypted PDUs)

Where did you see information for using the above SNMP v3 specific fields with PHP? I didn't see any mention of SNMP v3 in the php.net docs beyond that it supports v3 .. I will search again, but please let me know if you remember where you saw docs that talked about using the full SNMP v3 feature set! I did a bunch of Net::SNMP scripts with perl using SNMP v3 today that I could call for use in data templates to build my own SNMP v3 input data methods/graph/host templates and data templates .. scripts were easy to build.

By user interface design, do you mean a static HTML mockup?

[TheWitness]

It does not appear well documented on the PHP Web site. It looks like they need some contribs. Here is the source code.

Larry

[perldork]

Working examples for all retrieval functions done:
* snmp3_get
- returns single value as string
* snmp3_getnext
- returns single value as string or null if no more values
* snmp3_walk
- returns array of values
* snmp3_real_walk
- returns associative array of OID/value pairs

Argument list for all above functions:

Code: Select all

retval snmp3_NNNNN(string host,
                  string sec_name, 
                  string sec_level, 
                  string auth_protocol,
                  string auth_passphrase,
                  string priv_protocol, 
                  string priv_passphrase, 
                  string object_id      
                  [, int timeout                                
                  [, int retries]]
)

Where:
* Host can be just hostname/IP or hostname/IP:port
- e.g. 192.168.1.2;165
* sec_level is one of 'noAuthNoPriv', 'authNoPriv', or 'authPriv'
- If noAuthNoPriv, don't need auth_protocol or auth_passphrase
or priv_protocol or priv_passphrase
- if authNoPriv, don't need priv_protocol or priv_passphrase
- if authPriv, need all four

* Passphrases are the ASCII passphrases, the routines will *not* accept hex encoded phrases
* auth_protocol is one of 'MD5' (default) or 'SHA'
* priv_protocol is one of 'DES' (default) , 'AES128', 'AES192', 'AES256'
- I know from my own experience Net-SNMP agents as of 5.1.2 only work with DES

Working code (passphrases etc not the real ones in use):

Code: Select all

#!/usr/local/bin/php                                                                      
                                                                                          
<?                                                                                        
                                                                                          
$auth_key = 'My user key';                                                 
$priv_key = 'PDU encrypt key';                                                     
$user       = 'myusername';                                                                     
                                                                                          
#  Host with optional :port                                                               
$host     = '192.168.1.2:164';                                                          

#  Want both user authentication and PDU encryption                                                                                          
$level = 'authPriv';                                                                      
                                                                                          
#  For passphrase encryption
$auth_protocol = 'MD5';                                                                   

#  PDU encryption
$priv_protocol = 'DES';                                                                   

#  Number of users on system
$oid1 = '.1.3.6.1.2.1.25.1.5.0';                                                          

#  Disk use and memory use - for walk
$oid2 = '.1.3.6.1.2.1.25.2.3.1'; 

#  Single value
                                                                                          
$get = snmp3_get($host,                                                                   
                 $user,                                                                   
                 $level,                                                                  
                 $auth_protocol,                                                          
                 $auth_key,                                                               
                 $priv_protocol,                                                          
                 $priv_key,                                                               
                 $oid1);                                                                  
                                                                                          
print $get;                                                                               
                        
#  Walk, return values in array
$walk = array();                                                                          
$walk = snmp3_walk($host,                                                                 
                  $user,                                                                  
                  $level,                                                                 
                  $auth_protocol,                                                         
                  $auth_key,                                                              
                  $priv_protocol,                                                         
                  $priv_key,                                                              
                  $oid2);                                                                 
                                   
foreach ($walk as $value) {                                                               
    print "$value\n";                                                                     
}                                                                                         
                       
#  Walk, get OID/value pairs back
                                                                   
$real_walk = array();                                                                     
$real_walk = snmp3_real_walk($host,                                                       
                             $user,                                                       
                             $level,                                                      
                             $auth_protocol,                                              
                             $auth_key,                                                   
                             $priv_protocol,                                              
                             $priv_key,                                                   
                             $oid2);                                                      
                                                                                          
foreach ($real_walk as $oid => $value) {                                                  
    print "$oid: $value\n";                                                               
}                     

?>

Let me know if you would like more information than what I have provided

[perldork]

So, additions to the user interface design (different than what I initially thought):

Drop down lists:

Security level:
* noAuthNoPriv - No authentication, no privacy
* authNoPriv - Authentication, no privacy
* authPriv - Authentication and privacy

Authentication protocol:
* MD5 (default)
* SHA

Privacy protocol:
* DES (default) - only one that works with net-SNMP as of version 5.1.2
* AES128
* AES192
* AES256

Text input boxes:

Authentication passphrase (plain text, not hex string)
Privacy passphrases (plain text, not hex string)
Authentication username[/url][/b]

[TheWitness]

Should the SNMP options be on a per-host basis?

Great work thus far.

TheWitness

[perldork]

I am enjoying this , thank you for giving me the chance to help out.

I noticed that the php-snmp module is not very fault tolerant; I accidentally passed an OID to the snmp_walk() function that didn't have any children and php segfaulted and dumped core :p.

SNMP v3 users are configured on a per-agent basis.

I wrote a little wrapper class for the snmp3 functions .. here it is, following the code examples refactored to use it.

Code: Select all

<?

include('snmpv3.class.php');

$host = '192.168.1.2';
$user = 'mynameis';

$snmp = new SNMPv3($host, $user);
$snmp->auth_key = 'My auth key';
$snmp->priv_key = 'My privacy key';
$snmp->port     = 164;
$snmp->auth_priv();
$snmp->use_md5_for_authentication();

$oid1 = '.1.3.6.1.2.1.25.1.5.0';
$oid2 = '.1.3.6.1.2.1.25.2.3.1';

print $snmp->get($oid1);

foreach ($snmp->walk($oid2) as $value) {
    print "$value\n";
}

foreach ($snmp->real_walk($oid2) as $key => $value) {
    print "$key: $value\n";
}

?>

And the class:

Code: Select all

<?

class SNMPv3 {

    function SNMPv3($host, $user) {

        if ($host == '') {
            die("Host is required!");
        }

        if ($user == '') {
            die("Username is required!");
        }

        $this->host = $host;
        $this->user = $user;
        $this->port = 161;
        $this->auth_key = '';
        $this->priv_key = '';
        $this->level    = 'noAuthNoPriv';
        $this->auth_protocol = 'MD5';
        $this->priv_protocol = 'DES';
        $this->timeout = 60;
        $this->retries = 5;

        return $this;
    }

    function format_host() {
        return "{$this->host}:{$this->port}";
    }

    function no_auth_no_priv() {
        $this->level = 'noAuthNoPriv';
    }

    function auth_no_priv() {
        $this->level = 'authNoPriv';
    }

    function auth_priv() {
        $this->level = 'authPriv';
    }

    function use_md5_for_authentication() {
        $this->auth_protocol = 'MD5';
    }

    function use_sha_for_authentication() {
        $this->auth_protocol = 'SHA';
    }

    function use_des_for_privacy() {
        $this->priv_protocol = 'DES';
    }

    function use_aes128_for_privacy() {
        $this->priv_protocol = 'AES128';
    }

    function use_aes192_for_privacy() {
        $this->priv_protocol = 'AES192';
    }

    function use_aes256_for_privacy() {
        $this->priv_protocol = 'AES256';
    }

    function get($oid) {

        $host = $this->format_host();

        return snmp3_get(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

    function walk($oid) {

        $host = $this->format_host();

        return snmp3_walk(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

    function real_walk($oid) {

        $host = $this->format_host();

        return snmp3_real_walk(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

}

?>

[TheWitness]

For some reason I think that the the Authentication and Privacy Protocols can be system wide settings. Also, what about the two passphrases?

Thanks Again,

TheWitness

[TheWitness]

Here is the "New" SNMP Defaults Screen. What do you think?

TheWitness

[perldork]

Nice! I really like Cacti's UI design .

How come each passphrase has two text input boxes on your screen shot? Was that intentional?

Yes, for most installations, like with SNMP 1/2c, people will use common credentials across all managed devices.

However, I would definitely make sure that there is the ability to override these settings on a device-by-device basis as there is with SNMP 1/2c.

Managed hosting providers, for example, may have each agent set up with a different username and password for security purposes. Some network security policies will also undoubtably require that every agent use a unique username and passphrase.

Will you be including javascript to enable/disable the authentication/privacy related input widgets on the screen based on the user's security level choice or some kind of visual clue to tell a user what is required and what is not based on their security level choice?

[perldork]

I was thinking about this a bit more .. instead of having the security level drop down, how about designing the GUI so that the user's choice to enable authentication/privacy let you know implicitly which mode to choose without the additional select box .. or is this making the UI logic too complex?

I have the javascript and bare-bones HTML for this mocked up here ..
* Privacy options only available for selection if authentication chosen
* Authentication username/password only available if authentication is chosen
* Privacy username/password only available if privacy is chosen

http://ensim.webscorpion.com/scripts/cacti/snmp.html

[TheWitness]

Are you suggesting that there are two possible usernames? I like the interface. I don't beleive that this is supportable in native PHP. However, we can get close or possibly integrate the Javascript right in the hosts page. Let's keep it up.

TheWitness

[TheWitness]

Also, if there is no authentication or privacy protocol, is the device just open to users to poll?

TheWitness

[TheWitness]

Also,

The reason for the two boxes is to both Hide and double check the passphrases so you don't get them wrong. It is a default PHP form for Passwords.

Here is my latest cut. Although Java is kool. It's a major change to the UI that I don't want to spend time on now. Therefore, this will have to do for now.

TheWitness