|
Hello,
We are (were) looking to implement Zabbix in an Enterprise environment that using SHA for it's SNMPv3 authentication protocol.
EG. snmpwalk -v 3 -l AuthPriv -u Frank -a SHA -A Frank -x DES -X Frank Frank
We're looking at Zabbix now and are wondering when and if Zabbix is going to be updated to support this feature. It would be greatly appreciated if someone would please look at this and supply some feedback.
Sincerely,
Jolyon Ansuz
Communications Systems Officer
Infrastructure Services Group (Networks)
IT Directorate
University of New England
Armidale NSW 2351
|
|
added a note on currently supported protocols to http://www.zabbix.com/documentation/1.8/manual/config/items#snmp_agent
|
|
Thank you,
we're aware of the limitations that Zabbix has in regards to it's authentication protocols.
We are wondering when and if Zabbix is going to be updated to support SHA as a SNMPv3 authentication protocol as more people or using this in Enterprise environments.
It would be greatly appreciated if someone would please investigate this and hopefully code this upgrade.
Sincerely,
Jolyon Ansuz
Communications Systems Officer
Communications Infrastructure
Information Technology
University of New England
Armidale NSW 2351
|
|
This would be really nice. MD5 is usually enough, but SHA is a bit better. However, DES alone doesn't offer much encryption, and in a critical system (such as finnancial sector), using a decent encryption method (such as AES) would be more than preferable. This can also be such a drawback, that Zabbix couldn't pass an audit at a high security place, thus couldn't be deployed at all.
|
|
I would like to implement this. Should we use the same database elements and just add the algorithms to the security level dropdown? There are currently six combinations of algorithms possible. The dropdown would then contain:
noAuthNoPriv (existing option)
authNoPriv MD5 (existing option with a more specific name)
authNoPriv SHA
authPriv MD5-DES (existing option with a more specific name)
authPriv MD5-AES
authPriv SHA-DES
authPriv SHA-AES
|
|
chlunde, my personal opinion on this is, to add this as a separate parameter. Also, database design-wise it's better, you can keep track of different algorithms, it's easier to handle, and you can garantee consistency using FKs in the DB.
And please also take into account that the specification for SNMPv3 also includes 3DES, so that'd make at least 2 more options. And futhermore, don't foret the noAuthPriv level, where you don't have auth algos, just privacy ones.
Also separating algorithms into a different options, and organizing them in a different table, could be used anywhere else in zabbix, when a need arises (such is, we need X algo, and bind a function for it to calculate some hash ourselves).
This is just my personal opinion
|
|
IMHO:
I don't know, maybe I should take a look in the code before, but I don't think that this is a lack of options in the web interface, but it's a lack in the zabbix_server to perform this snmp gets..
Am I wrong?
|
|
I created a patch with all the options I mentioned. I agree with the comment about the database design, but the current database design for items is not normalized so this would break compatibility for existing databases. I'll attach a patch. It requires som cleanup, I think the code would be cleaner if we added the two algorithms to the database as you suggest.
This patch is against 1.8.5. I would like a comment from someone with commit access before I do more changes.
frontends/php/discoveryconf.php | 18 +++++--
frontends/php/include/defines.inc.php | 4 +
frontends/php/include/forms.inc.php | 24 ++++++---
frontends/php/include/items.inc.php | 14 ++++-
frontends/php/items.php | 18 ++++++-
include/common.h | 4 +
src/zabbix_server/poller/checks_snmp.c | 80 +++++++++++++++++++++++----------
7 files changed, 120 insertions , 42 deletions
|
|
Putting the SNMP parameters and credentials into a item makes no sense. These parameters should be an extra tab in host configuration. IPMI credentials are also an extra tab. So why not SNMP?
Michael Schwartzkopff.
|
|
It does make sense to give it a tab similar to IPMI but if it adds a bunch of complexity leaving it in the item would also work as long as you can use a macro as you can with auth passphrase. On the other side of the argument leaving it in the item give a bit more flexibility for instance you may want to pull some items with credentials that gives authNoPriv and other items with credentials that have authPriv.
|
|
Draft specification is available at https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-450
|
|
Adding SNMPv3 authentication protocol and privacy protocol fields to Frontend in same svn://svn.zabbix.com/branches/dev/ZBXNEXT-450 r.31405
|
|
(1) my template is having snmpv3 SHA/DES, but when discovered the host, the host linked items are changed to MD5/DES. Can you check from your side.
REgards
Vamsi
sasha Thank you! RESOLVED in r31672.
alexei CLOSED
|
|
Available in version pre-2.1.0 (trunk) r31686.
|
|
(2) Documentation is not ready. Reopened.
jelisejev Don't forget about the API docs and changelog.
jelisejev I've updated the API changelog and the API reference pages.
alexei Checked also internal documentation. CLOSED.
|
|
Is there a way to patch version 2.0.x
|
|
We'd also be interested in having this in 2.0.x
|
|
It's awesome that this will make it into 2.2! This has been a minor gripe of mine for a few months, as our firewalls only support SHA/AES
|
|
great - but if it is important to you, please take some time and test it 
otherwise we might release a stable release with this feature not working, because nobody tested it in real world environment.
btw, issue could be closed if somebody could review (2) - documentation changes
|
|
What is the time margin for testing with this feature
|
|
what do you mean by "time margin" ?
|
|
Well richlv you asked, so I tested. I tried to point a fresh CentOS 6 VM with Zabbix 2.1.0 pre code (a nightly build) at a firewall of ours using AES and SHA SNMPv3 in Zabbix.
I can walk the device with snmpwalk using the AES/SHA SNMPv3 username/password I set up, but Zabbix can't connect o the device (I made sure I had SHA and AES selected in the SNMP item I set up too).
The error from Zabbix when the item I set up goes to 'disabled' status is something like "incorrect username." I haven't troubleshot this much yet, I can provide debugs and pcaps of the SNMPv3 session as needed (I haven't looked at a Wireshark of the session yet).
|
|
Did testing with snmpV3+SHA+DES. Discovery is working fine this time. mass update is working fine. but struggling with API. Read the API documentaion and found few changes with the required fields. not able to create snmpv3 items using API with respect to template. the following are the parameters. $zhositid is templateid. is there anything wrong with my api parameters? found interfaceid is required, but cannot find interfaceid from template_get. PERL::API
$zitem = $zab->item_create(
{
'name' => "ifInOctets$count",
'delay' => "300",
'hostid' => "$zhostid",
'type' => "6",
'snmp_oid' => "1.3.6.1.2.1.2.2.1.10.$count",
'snmpv3_securityname' => "ABCDEFGHIJ",
'snmpv3_securitylevel' => "2",
'snmpv3_authprotocol' => "1",
'snmpv3_privprotocol' => "0",
'snmpv3_authpassphrase' => "pqrstuvwxyz123",
'snmpv3_privpassphrase' => "abcghijklm123",
'key_' => "ifInOctets$count",
'templateid' => "$zhostid",
'units' => "bps",
'multiplier' => "1",
'value_type' => "0",
'delta' => "1",
'formula' => "8"
}
);
|
|
as for the api - i don't think interfaceid would be required for template, but that's a different topic anyway - please discuss it in zabbix forums or on irc.
eric, it would be useful to see the exact error message. you could also try for testing with a simple alphanumeric password, unless you were using such a password already.
|
|
See also separately reported ZBX-6228
|
|
same patch as above for zabbix-2.0.4
|
|
Hang on a minute guys, I have a lab box that I'm testing on and it looks like SNMPv3 with SHA and AES is working! I have one SNMP item configured (Number of interfaces) and it's working! I'm waiting for a discovery to run and I'll see if discovery is working too.
Awesomeness!
|
|
Items and discovery work, and I copied the SNMPv2 based template that comes with the Zabbix 2.1.0 build over and added SNMPv3 AES and SHA macros, and they appear to work too. Using macros in items and in discovery items seems to work.
|
|
Eric, thanks for your report.
|
|
Documentation is not ready. I'm reopening the issue.
|
|
(3) The added options described in "what's new" for 2.2: https://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew220#miscellaneous_improvements1
Information about available auth/privacy protocols updated at: https://www.zabbix.com/documentation/2.2/manual/config/items/itemtypes/snmp
<richlv> seems to be ok, CLOSED
|
Generated at Fri Apr 26 00:32:21 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.
snmp-algos.patch