Configuration of net-mgmt/net-snmp on FreeBSD

Today I’m setting up snmpd on a new [to me] host. It’s a Dell R730. Previously, my documentation for this was a bit jumbled. It was written in 2015 and contains a few updates and corrections. It was hard to follow, even for me.

This new post is an update of that one.

See my FreeBSD Forums post where I spent a long time figuring out why the JAIL option needs careful consideration.

The recipe

I got some help from Ryan Steinmetz who suggested I use this approach.

First, we install net-snmp:

pkg install net-snmp

I added this to /etc/rc.conf:

snmpd_enable="YES"
snmpd_flags="-a -r"
snmpd_conffile="/usr/local/etc/snmpd.conf"

The configuration file is pretty simple. I started with the supplied example.

STOP, this is what I once did. Skip over.

[20:36 r730-03 dvl ~] % sudo cp -i /usr/local/share/snmp/snmpd.conf.example /usr/local/etc/snmpd.conf
overwrite /usr/local/etc/snmpd.conf? (y/n [n]) y

I made only this change:

$ diff -ruN /usr/local/share/snmp/snmpd.conf.example /usr/local/etc/snmpd.conf
--- /usr/local/share/snmp/snmpd.conf.example	2017-11-16 04:42:33.000000000 +0000
+++ /usr/local/etc/snmpd.conf	2017-12-07 16:08:35.380256000 +0000
@@ -12,7 +12,7 @@
 #
 
 #  Listen for connections from the local system only
-agentAddress  udp:127.0.0.1:161
+agentAddress  udp:10.0.0.1:161
 #  Listen for connections on all interfaces (both IPv4 *and* IPv6)
 #agentAddress udp:161,udp6:[::1]:161
 

Skip to here: This is an example configuration file:

# cat /usr/local/etc/snmpd.conf
agentAddress  udp:10.0.0.172:161,tcp:10.0.0.172:161

sysLocation    The FreeBSD Diary
sysContact     dan@langille.org

extend bind    /usr/local/etc/snmp/bind

Where 10.0.0.1 is the IP Address that snmpd should listen on.

Next, a wee bit of the documentation:

% net-snmp-create-v3-user --help

Usage:
  net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]

Now for the formula (you must modify foobarfoo and barfoobar to real passwords; don’t use these one; also change roDVL.

Why does my example use foobarfoo and not foofoo is too short for snmpwalk which will say: Error: passphrase chosen is below the length requirements of the USM (min=8).).

[20:39 r730-03 dvl ~] % sudo service snmpd stop
Stopping snmpd.
Waiting for PIDS: 3478.

[20:39 r730-03 dvl ~] % sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'foobarfoo' -X 'barfoobar' roDVL
adding the following line to /var/net-snmp/snmpd.conf:
   createUser roDVL SHA "foobarfoo" AES "barfoobar"
adding the following line to /share/snmp/snmpd.conf:
   rouser roDVL
touch: /share/snmp/snmpd.conf: No such file or directory
/usr/local/bin/net-snmp-create-v3-user: cannot create /share/snmp/snmpd.conf: No such file or directory

Oh yes, we need to create that directory. That’s shown up before.

Let’s play their silly game (See NOTE NOTE NOTE below, where recent versions don’t need this mkdir):

[20:46 r730-03 dvl ~] % sudo mkdir -p /share/snmp           
[20:46 r730-03 dvl ~] % 

And try again:

[20:46 r730-03 dvl ~] % sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'foobarfoo' -X 'barfoobar' roDVL
adding the following line to /var/net-snmp/snmpd.conf:
   createUser roDVL SHA "foobarfoo" AES "barfoobar"
adding the following line to /share/snmp/snmpd.conf:
   rouser roDVL
[20:46 r730-03 dvl ~] % 

Now, move that newly created file into place (note that it’s slightly different from the above suggestion because the code is assuming non-FreeBSD standards.

NOTE NOTE NOTE: I see that with net-snmp-5.9.4,1 it gets the path right. You don’t have to do this move. In fact, I didn’t have to create /share/snmp/.

[20:46 r730-03 dvl ~] % sudo mv /share/snmp/snmpd.conf /usr/local/share/snmp/snmpd.conf
[20:48 r730-03 dvl ~] % 

Finally, restart:

[20:49 r730-03 dvl ~] % sudo service snmpd start
Starting snmpd.

This should just work.

shell security issue

NOTE: you might want to delete the above from your shell history…. no sense leaving those passwords sitting there.

Notes about quotes

I found wonkiness if you have to put quotes around the -X parameter… observe the output of the net-snmp-config and keep that in mind.

To test that you have the correct passwords, try this:

snmpwalk -v3 -l authPriv -u roDVL -a SHA -A foobarfoo -x AES -X barfoobar empty.int.unixathome.org HOST-RESOURCES-MIB::hrSystemNumUsers

You should see something like this:

HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 2
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top