Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support
It is currently Thu Jul 24, 2014 12:04 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 80 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next
Author Message
 Post subject: SNMP v3?
PostPosted: Fri Nov 05, 2004 9:14 am 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
Hi,

Anyone working on adding SNMP v3 support to Cacti? I understand that I can write a custom script that will do SNMP v3 myself for now .. just curious if anyone knows if this is a feature that will be added to Cacti's built-in SNMP client anytime soon .. if not, I could take a crack at it .. or does the php-snmp module not support SNMP v3 yet?

_________________
Max Schubert a.k.a perldork
Ensim scripts and utilities (GPL) - Perform nmap scans with perl (GPL)
Perl-based log monitoring framework(GPL)


Last edited by perldork on Sat Nov 06, 2004 8:07 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 05, 2004 6:44 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Yes php does. Unfortunately, we have not been focusing on SNMP v3. Could you please provide user interface design information for us to help with the design?

I know that the following may be required:

UserID, Password, Passphrase, ????

Then, in addition to the above, could you please research the php.net website for documentation and provide sample code for producing a snmpv3 call. If you can do that much, I can program the rest.

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 05, 2004 8:30 pm 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
Be glad to help if I can.

In addition to UserID

* engineId (optional)
* contextName (optional)
* Authentication passphrase - password
* Privacy passphrase - (for using encrypted PDUs)

Where did you see information for using the above SNMP v3 specific fields with PHP? I didn't see any mention of SNMP v3 in the php.net docs beyond that it supports v3 :) .. I will search again, but please let me know if you remember where you saw docs that talked about using the full SNMP v3 feature set! I did a bunch of Net::SNMP scripts with perl using SNMP v3 today that I could call for use in data templates to build my own SNMP v3 input data methods/graph/host templates and data templates .. scripts were easy to build.

By user interface design, do you mean a static HTML mockup?


Last edited by perldork on Sun Nov 07, 2004 12:20 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 05, 2004 8:51 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
It does not appear well documented on the PHP Web site. It looks like they need some contribs. Here is the source code.

Larry


Attachments:
snmp.zip [17.72 KiB]
Downloaded 1314 times

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository
Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 12:05 am 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
Working examples for all retrieval functions done:
* snmp3_get
- returns single value as string
* snmp3_getnext
- returns single value as string or null if no more values
* snmp3_walk
- returns array of values
* snmp3_real_walk
- returns associative array of OID/value pairs

Argument list for all above functions:

Code:
retval snmp3_NNNNN(string host,
                  string sec_name,
                  string sec_level,
                  string auth_protocol,
                  string auth_passphrase,
                  string priv_protocol,
                  string priv_passphrase,
                  string object_id     
                  [, int timeout                               
                  [, int retries]]
)


Where:
* Host can be just hostname/IP or hostname/IP:port
- e.g. 192.168.1.2;165
* sec_level is one of 'noAuthNoPriv', 'authNoPriv', or 'authPriv'
- If noAuthNoPriv, don't need auth_protocol or auth_passphrase
or priv_protocol or priv_passphrase
- if authNoPriv, don't need priv_protocol or priv_passphrase
- if authPriv, need all four

* Passphrases are the ASCII passphrases, the routines will *not* accept hex encoded phrases
* auth_protocol is one of 'MD5' (default) or 'SHA'
* priv_protocol is one of 'DES' (default) , 'AES128', 'AES192', 'AES256'
- I know from my own experience Net-SNMP agents as of 5.1.2 only work with DES

Working code (passphrases etc not the real ones in use):

Code:
#!/usr/local/bin/php                                                                     
                                                                                         
<?                                                                                       
                                                                                         
$auth_key = 'My user key';                                                 
$priv_key = 'PDU encrypt key';                                                     
$user       = 'myusername';                                                                     
                                                                                         
#  Host with optional :port                                                               
$host     = '192.168.1.2:164';                                                         

#  Want both user authentication and PDU encryption                                                                                         
$level = 'authPriv';                                                                     
                                                                                         
#  For passphrase encryption
$auth_protocol = 'MD5';                                                                   

#  PDU encryption
$priv_protocol = 'DES';                                                                   

#  Number of users on system
$oid1 = '.1.3.6.1.2.1.25.1.5.0';                                                         

#  Disk use and memory use - for walk
$oid2 = '.1.3.6.1.2.1.25.2.3.1';

#  Single value
                                                                                         
$get = snmp3_get($host,                                                                   
                 $user,                                                                   
                 $level,                                                                 
                 $auth_protocol,                                                         
                 $auth_key,                                                               
                 $priv_protocol,                                                         
                 $priv_key,                                                               
                 $oid1);                                                                 
                                                                                         
print $get;                                                                               
                       
#  Walk, return values in array
$walk = array();                                                                         
$walk = snmp3_walk($host,                                                                 
                  $user,                                                                 
                  $level,                                                                 
                  $auth_protocol,                                                         
                  $auth_key,                                                             
                  $priv_protocol,                                                         
                  $priv_key,                                                             
                  $oid2);                                                                 
                                   
foreach ($walk as $value) {                                                               
    print "$value\n";                                                                     
}                                                                                         
                       
#  Walk, get OID/value pairs back
                                                                   
$real_walk = array();                                                                     
$real_walk = snmp3_real_walk($host,                                                       
                             $user,                                                       
                             $level,                                                     
                             $auth_protocol,                                             
                             $auth_key,                                                   
                             $priv_protocol,                                             
                             $priv_key,                                                   
                             $oid2);                                                     
                                                                                         
foreach ($real_walk as $oid => $value) {                                                 
    print "$oid: $value\n";                                                               
}                     

?>



Let me know if you would like more information than what I have provided


Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 12:10 am 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
So, additions to the user interface design (different than what I initially thought):

Drop down lists:

Security level:
* noAuthNoPriv - No authentication, no privacy
* authNoPriv - Authentication, no privacy
* authPriv - Authentication and privacy

Authentication protocol:
* MD5 (default)
* SHA

Privacy protocol:
* DES (default) - only one that works with net-SNMP as of version 5.1.2
* AES128
* AES192
* AES256

Text input boxes:

Authentication passphrase (plain text, not hex string)
Privacy passphrases (plain text, not hex string)
Authentication username[/url][/b]

_________________
Max Schubert a.k.a perldork
Ensim scripts and utilities (GPL) - Perform nmap scans with perl (GPL)
Perl-based log monitoring framework(GPL)


Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 3:29 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Should the SNMP options be on a per-host basis?

Great work thus far.

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 7:05 pm 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
I am enjoying this :), thank you for giving me the chance to help out.

I noticed that the php-snmp module is not very fault tolerant; I accidentally passed an OID to the snmp_walk() function that didn't have any children and php segfaulted and dumped core :p.

SNMP v3 users are configured on a per-agent basis.

I wrote a little wrapper class for the snmp3 functions .. here it is, following the code examples refactored to use it.

Code:

<?

include('snmpv3.class.php');

$host = '192.168.1.2';
$user = 'mynameis';

$snmp = new SNMPv3($host, $user);
$snmp->auth_key = 'My auth key';
$snmp->priv_key = 'My privacy key';
$snmp->port     = 164;
$snmp->auth_priv();
$snmp->use_md5_for_authentication();

$oid1 = '.1.3.6.1.2.1.25.1.5.0';
$oid2 = '.1.3.6.1.2.1.25.2.3.1';

print $snmp->get($oid1);

foreach ($snmp->walk($oid2) as $value) {
    print "$value\n";
}

foreach ($snmp->real_walk($oid2) as $key => $value) {
    print "$key: $value\n";
}

?>



And the class:

Code:
<?

class SNMPv3 {

    function SNMPv3($host, $user) {

        if ($host == '') {
            die("Host is required!");
        }

        if ($user == '') {
            die("Username is required!");
        }

        $this->host = $host;
        $this->user = $user;
        $this->port = 161;
        $this->auth_key = '';
        $this->priv_key = '';
        $this->level    = 'noAuthNoPriv';
        $this->auth_protocol = 'MD5';
        $this->priv_protocol = 'DES';
        $this->timeout = 60;
        $this->retries = 5;

        return $this;
    }

    function format_host() {
        return "{$this->host}:{$this->port}";
    }

    function no_auth_no_priv() {
        $this->level = 'noAuthNoPriv';
    }

    function auth_no_priv() {
        $this->level = 'authNoPriv';
    }

    function auth_priv() {
        $this->level = 'authPriv';
    }

    function use_md5_for_authentication() {
        $this->auth_protocol = 'MD5';
    }

    function use_sha_for_authentication() {
        $this->auth_protocol = 'SHA';
    }

    function use_des_for_privacy() {
        $this->priv_protocol = 'DES';
    }

    function use_aes128_for_privacy() {
        $this->priv_protocol = 'AES128';
    }

    function use_aes192_for_privacy() {
        $this->priv_protocol = 'AES192';
    }

    function use_aes256_for_privacy() {
        $this->priv_protocol = 'AES256';
    }

    function get($oid) {

        $host = $this->format_host();

        return snmp3_get(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

    function walk($oid) {

        $host = $this->format_host();

        return snmp3_walk(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

    function real_walk($oid) {

        $host = $this->format_host();

        return snmp3_real_walk(
                   $host,
                   $this->user,
                   $this->level,
                   $this->auth_protocol,
                   $this->auth_key,
                   $this->priv_protocol,
                   $this->priv_key,
                   $oid,
                   $this->timeout,
                   $this->retries);
    }

}

?>


_________________
Max Schubert a.k.a perldork
Ensim scripts and utilities (GPL) - Perform nmap scans with perl (GPL)
Perl-based log monitoring framework(GPL)


Last edited by perldork on Sun Nov 07, 2004 11:35 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 10:31 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
For some reason I think that the the Authentication and Privacy Protocols can be system wide settings. Also, what about the two passphrases?

Thanks Again,

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 11:00 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Here is the "New" SNMP Defaults Screen. What do you think?

TheWitness


Attachments:
SNMPv3 Settings.JPG
SNMPv3 Settings.JPG [ 143.08 KiB | Viewed 28584 times ]

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository
Top
 Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 8:23 am 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
Nice! I really like Cacti's UI design :).

How come each passphrase has two text input boxes on your screen shot? Was that intentional?

Yes, for most installations, like with SNMP 1/2c, people will use common credentials across all managed devices.

However, I would definitely make sure that there is the ability to override these settings on a device-by-device basis as there is with SNMP 1/2c.

Managed hosting providers, for example, may have each agent set up with a different username and password for security purposes. Some network security policies will also undoubtably require that every agent use a unique username and passphrase.

Will you be including javascript to enable/disable the authentication/privacy related input widgets on the screen based on the user's security level choice or some kind of visual clue to tell a user what is required and what is not based on their security level choice?

_________________
Max Schubert a.k.a perldork
Ensim scripts and utilities (GPL) - Perform nmap scans with perl (GPL)
Perl-based log monitoring framework(GPL)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 3:04 pm 
Offline
Cacti User

Joined: Fri Nov 05, 2004 9:06 am
Posts: 69
I was thinking about this a bit more .. instead of having the security level drop down, how about designing the GUI so that the user's choice to enable authentication/privacy let you know implicitly which mode to choose without the additional select box .. or is this making the UI logic too complex?

I have the javascript and bare-bones HTML for this mocked up here ..
* Privacy options only available for selection if authentication chosen
* Authentication username/password only available if authentication is chosen
* Privacy username/password only available if privacy is chosen

http://ensim.webscorpion.com/scripts/cacti/snmp.html

_________________
Max Schubert a.k.a perldork
Ensim scripts and utilities (GPL) - Perform nmap scans with perl (GPL)
Perl-based log monitoring framework(GPL)


Last edited by perldork on Sun Nov 07, 2004 11:17 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 4:26 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Are you suggesting that there are two possible usernames? I like the interface. I don't beleive that this is supportable in native PHP. However, we can get close or possibly integrate the Javascript right in the hosts page. Let's keep it up.

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 4:28 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Also, if there is no authentication or privacy protocol, is the device just open to users to poll?

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 5:07 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Also,

The reason for the two boxes is to both Hide and double check the passphrases so you don't get them wrong. It is a default PHP form for Passwords.

Here is my latest cut. Although Java is kool. It's a major change to the UI that I don't want to spend time on now. Therefore, this will have to do for now.

TheWitness


Attachments:
SNMPv3 Settings v2.JPG
SNMPv3 Settings v2.JPG [ 123.5 KiB | Viewed 28552 times ]

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 80 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group