SNMP V3 : Modifying the password of lower security levels - SNMP

This is a discussion on SNMP V3 : Modifying the password of lower security levels - SNMP ; Hi, In SNMP V3, is following allowed :- Using the higher user (say) privUser, it is right to modify the security properties (passwords, etc ) of the lower security users. Any rfc reference ? Thanks, Kudiyarasan...

+ Reply to Thread
Results 1 to 7 of 7

Thread: SNMP V3 : Modifying the password of lower security levels

  1. SNMP V3 : Modifying the password of lower security levels

    Hi,

    In SNMP V3, is following allowed :-
    Using the higher user (say) privUser, it is right to modify the
    security properties (passwords, etc ) of the lower security users. Any
    rfc reference ?

    Thanks,
    Kudiyarasan

  2. Re: SNMP V3 : Modifying the password of lower security levels

    kudiyarasan@gmail.com wrote:

    > In SNMP V3, is following allowed :-
    > Using the higher user (say) privUser, it is right to modify the
    > security properties (passwords, etc ) of the lower security users. Any
    > rfc reference ?


    RFC 3414 defined a Textual Convention KeyChange which explains the
    basic procedure how to change keys. The various *KeyChange objects
    can then be used to change keys.

    Note that SNMP agents never deal with cleartext passwords directly;
    the technology is a bit more serious.

    /js

    PS: For understanding access control rights, you have to read RFC 3415.

    --
    Juergen Schoenwaelder Jacobs University Bremen gGmbH
    Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
    Fax: +49 421 200 3103

  3. Re: SNMP V3 : Modifying the password of lower security levels

    Hi,

    Thanks for the information.
    On referring RFC3414, the basic procedure on how to change the keys is
    defined.
    But the hierarchy of changing key (i.e) "A privUser can change the
    key of an authUser " is not defined.
    Otherwise, I may misunderstood this.

    Could you please elaborate a bit more on the hierarchical change of
    keys.

    With Regards,
    Kudiyarasan




    On Jan 28, 10:44 pm, "Dr. Juergen Schoenwaelder" bs.de> wrote:
    > kudiyara...@gmail.com wrote:
    > > In SNMP V3, is following allowed :-
    > > Using the higher user (say) privUser, it is right to modify the
    > > security properties (passwords, etc ) of the lower security users. Any
    > > rfc reference ?

    >
    > RFC 3414 defined a Textual Convention KeyChange which explains the
    > basic procedure how to change keys. The various *KeyChange objects
    > can then be used to change keys.
    >
    > Note that SNMP agents never deal with cleartext passwords directly;
    > the technology is a bit more serious.
    >
    > /js
    >
    > PS: For understanding access control rights, you have to read RFC 3415.
    >
    > --
    > Juergen Schoenwaelder Jacobs University Bremen gGmbH
    > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
    > Fax: +49 421 200 3103



  4. Re: SNMP V3 : Modifying the password of lower security levels

    kudi_kavi@yahoo.co.in wrote:

    > On referring RFC3414, the basic procedure on how to change the keys is
    > defined.
    > But the hierarchy of changing key (i.e) "A privUser can change the
    > key of an authUser " is not defined.


    I have no clue what a 'privUser' or an 'authUser'. These are not
    established terms in USM.

    > Could you please elaborate a bit more on the hierarchical change of
    > keys.


    You need to phrase your question in the SNMP terminology. Once you have
    done that, I better understand what your question is and you might even
    find the answer to your question during the exercise.

    If you understand RFC 3414, then you know how keys are changed. If your
    question is who is allowed to play with the key change objects, you have
    to read RFC 3415 since this is an access control issue.

    /js

    --
    Juergen Schoenwaelder Jacobs University Bremen gGmbH
    Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
    Fax: +49 421 200 3103

  5. Re: SNMP V3 : Modifying the password of lower security levels

    On Feb 16, 5:37 am, "Dr. Juergen Schoenwaelder" bs.de> wrote:
    > kudi_k...@yahoo.co.in wrote:
    > > On referring RFC3414, the basic procedure on how to change the keys is
    > > defined.
    > > But the hierarchy of changing key (i.e) "A privUser can change the
    > > key of an authUser " is not defined.

    >
    > I have no clue what a 'privUser' or an 'authUser'. These are not
    > established terms in USM.


    authUser : User having only "usmUserAuthProtocol"
    privUser : User having both "usmUserAuthProtocol" and
    "usmUserPrivProtocol"


    >
    > > Could you please elaborate a bit more on the hierarchical change of
    > > keys.

    >
    > You need to phrase your question in the SNMP terminology. Once you have
    > done that, I better understand what your question is and you might even
    > find the answer to your question during the exercise.
    >
    > If you understand RFC 3414, then you know how keys are changed. If your
    > question is who is allowed to play with the key change objects, you have
    > to read RFC 3415 since this is an access control issue.
    >
    > /js
    >


    I guess that the keychange is not defined in RFC3415.
    In baseline, my query is
    Is it possible/right that a SNMP v3 user having both protocols
    "usmUserAuthProtocol" and "usmUserPrivProtocol" can change the authKey
    of another user having only the protocol "usmUserAuthProtocol".
    I hope my query is clear.


    > --
    > Juergen Schoenwaelder Jacobs University Bremen gGmbH
    > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
    > Fax: +49 421 200 3103



  6. Re: SNMP V3 : Modifying the password of lower security levels

    Hi,

    Is the following allowed in USM :-

    Using an user, the keys/password of another user can be changed. And
    the user need not be template user ?
    (e.g) An user privUser1 can change the authKey of another user
    authUser1.
    The usmsecuritylevel of those users differ each other.

    In RFC3414, it is mentioned that the keychange can be done by another
    user.
    But the 'another user' is not explicitly defined in a way like "
    anonther must be template user " etc ...

    Thanks,
    Kudi




    On Feb 18, 4:31 pm, kudiyara...@gmail.com wrote:
    > On Feb 16, 5:37 am, "Dr. Juergen Schoenwaelder" >
    > bs.de> wrote:
    > > kudi_k...@yahoo.co.in wrote:
    > > > On referring RFC3414, the basic procedure on how to change the keys is
    > > > defined.
    > > > But the hierarchy of changing key (i.e) "A privUser can change the
    > > > key of an authUser " is not defined.

    >
    > > I have no clue what a 'privUser' or an 'authUser'. These are not
    > > established terms in USM.

    >
    > authUser : User having only "usmUserAuthProtocol"
    > privUser : User having both "usmUserAuthProtocol" and
    > "usmUserPrivProtocol"
    >
    >
    >
    > > > Could you please elaborate a bit more on the hierarchical change of
    > > > keys.

    >
    > > You need to phrase your question in the SNMP terminology. Once you have
    > > done that, I better understand what your question is and you might even
    > > find the answer to your question during the exercise.

    >
    > > If you understand RFC 3414, then you know how keys are changed. If your
    > > question is who is allowed to play with the key change objects, you have
    > > to read RFC 3415 since this is an access control issue.

    >
    > > /js

    >
    > I guess that the keychange is not defined in RFC3415.
    > In baseline, my query is
    > Is it possible/right that a SNMP v3 user having both protocols
    > "usmUserAuthProtocol" and "usmUserPrivProtocol" can change the authKey
    > of another user having only the protocol "usmUserAuthProtocol".
    > I hope my query is clear.
    >
    > > --
    > > Juergen Schoenwaelder Jacobs University Bremen gGmbH
    > > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
    > > Fax: +49 421 200 3103



  7. Re: SNMP V3 : Modifying the password of lower security levels


    > > In baseline, my query is
    > > Is it possible/right that *a SNMP v3 user having both *protocols
    > > "usmUserAuthProtocol" and "usmUserPrivProtocol" can change the authKey
    > > of another user having only the protocol *"usmUserAuthProtocol".
    > > I hope my query is clear.


    The larger question is this.

    What makes "user-A" higher than "user-B", in terms of being able to
    change each others keys ?


    The answer is more involved than you think. It has to do with whether
    the user has VACM read-write access to the security portion of the
    MIB. You can give permissions for users to be able to change their
    own keys (via the usmUserOwnKeyChange node only). You can also give
    some users to change everyones keys (by giving them read/write access
    to the entire security sub-tree). You can also prevent users from
    making any key changes (including their own keys) by locking out the
    entire security subtree. If these users want their keys changed, they
    need to contact the "admin" (who does have read/write VACM access to
    the entire security tree).

    This stuff is hard to grasp at first and is easy to make naive
    mistakes.

    There may be some tools to help you with this, but AFAIK Unbrowse SNMP
    allows you to set up the whole thing and learn about it. All you need
    is a single template user with read/write access to the usm* and vacm*
    subtrees. You can then use wizards to get going. Disclaimer : I am a
    developer of the product. I am only mentioning it because you seem to
    be genuinely stuck.

    -
    Vivek Rajan


+ Reply to Thread