Today I’m setting up snmpd on a new [to me] host. It’s a Dell R730. Previously, my documentation for this was a bit jumbled. It was written in 2015 and contains a few updates and corrections. It was hard to follow, even for me.
This new post is an update of that one.
See my FreeBSD Forums post where I spent a long time figuring out why the JAIL option needs careful consideration.
The recipe
I got some help from Ryan Steinmetz who suggested I use this approach.
First, we install net-snmp:
pkg install net-snmp
I added this to /etc/rc.conf:
snmpd_enable="YES" snmpd_flags="-a -r" snmpd_conffile="/usr/local/etc/snmpd.conf"
The configuration file is pretty simple. I started with the supplied example.
STOP, this is what I once did. Skip over.
[20:36 r730-03 dvl ~] % sudo cp -i /usr/local/share/snmp/snmpd.conf.example /usr/local/etc/snmpd.conf overwrite /usr/local/etc/snmpd.conf? (y/n [n]) y
I made only this change:
$ diff -ruN /usr/local/share/snmp/snmpd.conf.example /usr/local/etc/snmpd.conf --- /usr/local/share/snmp/snmpd.conf.example 2017-11-16 04:42:33.000000000 +0000 +++ /usr/local/etc/snmpd.conf 2017-12-07 16:08:35.380256000 +0000 @@ -12,7 +12,7 @@ # # Listen for connections from the local system only -agentAddress udp:127.0.0.1:161 +agentAddress udp:10.0.0.1:161 # Listen for connections on all interfaces (both IPv4 *and* IPv6) #agentAddress udp:161,udp6:[::1]:161
Skip to here: This is an example configuration file:
# cat /usr/local/etc/snmpd.conf agentAddress udp:10.0.0.172:161,tcp:10.0.0.172:161 sysLocation The FreeBSD Diary sysContact dan@langille.org extend bind /usr/local/etc/snmp/bind
Where 10.0.0.1 is the IP Address that snmpd should listen on.
Next, a wee bit of the documentation:
% net-snmp-create-v3-user --help Usage: net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]
Now for the formula (you must modify foobarfoo and barfoobar to real passwords; don’t use these one; also change roDVL.
Why does my example use foobarfoo and not foo – foo is too short for snmpwalk which will say: Error: passphrase chosen is below the length requirements of the USM (min=8).).
[20:39 r730-03 dvl ~] % sudo service snmpd stop Stopping snmpd. Waiting for PIDS: 3478. [20:39 r730-03 dvl ~] % sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'foobarfoo' -X 'barfoobar' roDVL adding the following line to /var/net-snmp/snmpd.conf: createUser roDVL SHA "foobarfoo" AES "barfoobar" adding the following line to /share/snmp/snmpd.conf: rouser roDVL touch: /share/snmp/snmpd.conf: No such file or directory /usr/local/bin/net-snmp-create-v3-user: cannot create /share/snmp/snmpd.conf: No such file or directory
Oh yes, we need to create that directory. That’s shown up before.
Let’s play their silly game (See NOTE NOTE NOTE below, where recent versions don’t need this mkdir):
[20:46 r730-03 dvl ~] % sudo mkdir -p /share/snmp [20:46 r730-03 dvl ~] %
And try again:
[20:46 r730-03 dvl ~] % sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'foobarfoo' -X 'barfoobar' roDVL adding the following line to /var/net-snmp/snmpd.conf: createUser roDVL SHA "foobarfoo" AES "barfoobar" adding the following line to /share/snmp/snmpd.conf: rouser roDVL [20:46 r730-03 dvl ~] %
Now, move that newly created file into place (note that it’s slightly different from the above suggestion because the code is assuming non-FreeBSD standards.
NOTE NOTE NOTE: I see that with net-snmp-5.9.4,1 it gets the path right. You don’t have to do this move. In fact, I didn’t have to create /share/snmp/.
[20:46 r730-03 dvl ~] % sudo mv /share/snmp/snmpd.conf /usr/local/share/snmp/snmpd.conf [20:48 r730-03 dvl ~] %
Finally, restart:
[20:49 r730-03 dvl ~] % sudo service snmpd start Starting snmpd.
This should just work.
shell security issue
NOTE: you might want to delete the above from your shell history…. no sense leaving those passwords sitting there.
Notes about quotes
I found wonkiness if you have to put quotes around the -X parameter… observe the output of the net-snmp-config and keep that in mind.
To test that you have the correct passwords, try this:
snmpwalk -v3 -l authPriv -u roDVL -a SHA -A foobarfoo -x AES -X barfoobar empty.int.unixathome.org HOST-RESOURCES-MIB::hrSystemNumUsers
You should see something like this:
HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 2
