How to use Perl Net::SNMP v3 authentication with newer SHA (SHA256, SHA512) protocols

Written by - 0 comments

Published on - Listed in Perl Monitoring Linux


A couple of months ago I wrote about a SNMP monitoring problem on Checkpoint firewalls after a Gaia OS upgrade to R81.xx. Long story short: The problem occurred because the monitoring plugin, check_nwc_health, uses Perl's Net-SNMP module. As this Perl module hasn't been (officially) updated in a very long time, it only supports MD5 or SHA(1) protocols for authentication.

When someone wants to use a Perl script with Net::SNMP and tries to connect using a newer SHA protocol (here sha256), the Perl script bails out with an error of an unknown protocol:

$ ./check_nwc_health --hostname TARGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
CRITICAL - cannot create session object: The authProtocol "sha256" is unknown

Where are the SNMP authentication protocols defined?

To understand where this error comes from, one needs to take a closer look into the Net::SNMP Perl module. In most Linux distributions this can be installed as a package from the official repositories. On Debian and Ubuntu machines, the package is libnet-snmp-perl.

After this package is installed, the Net::SNMP module can usually be found in /usr/share/perl5/Net/SNMP.

ck@mmint:/usr/share/perl5/Net/SNMP$ ls -la
total 164
drwxr-xr-x 4 root root  4096 Apr  8 14:33 ./
drwxr-xr-x 7 root root  4096 Apr  8 14:33 ../
-rw-r--r-- 1 root root 18397 Jan 27  2019 Dispatcher.pm
-rw-r--r-- 1 root root 51840 Jan 27  2019 Message.pm
-rw-r--r-- 1 root root 13514 Jan 27  2019 MessageProcessing.pm
-rw-r--r-- 1 root root 26880 Jan 27  2019 PDU.pm
drwxr-xr-x 2 root root  4096 Apr  8 14:33 Security/
-rw-r--r-- 1 root root  5651 Jan 27  2019 Security.pm
drwxr-xr-x 4 root root  4096 Apr  8 14:33 Transport/
-rw-r--r-- 1 root root 22787 Jan 27  2019 Transport.pm

Looking for that particular error message (The authprotocol "XXX" is unknown) results in one specific file:

admck@WM2856L:/usr/share/perl5/Net/SNMP$ egrep "The authprotocol .* is unknown" * -rni
Security/USM.pm:770:      return $this->_error('The authProtocol "%s" is unknown', $proto);
Security/USM.pm:1154:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1634:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1687:            'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1791:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}

The USM.pm file is responsible for handling the different authentication protocols. And there are not many options:

admck@WM2856L:/usr/share/perl5/Net/SNMP$ grep "sub AUTH_PROTOCOL" Security/USM.pm
sub AUTH_PROTOCOL_NONE    { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
sub AUTH_PROTOCOL_HMACMD5 { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
sub AUTH_PROTOCOL_HMACSHA { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol

The official package only supports:

  • NoAuthProtocol
  • MD5AuthProtocol (md5)
  • SHAAuthProtocol (sha)

A patched USM.pm exists

Thanks to research and an additional comment from Gerhard Lausser (the creator and maintainer of check_nwc_health), there exists a manually patched version of USM.pm. The patch was mentioned in a OpenBSD mailing list and submitted by Martijn van Duren in August 2021. His modifications introduce additional SHA protocols (SHA224, SHA256, SHA384, SHA512) for authentication. Unfortunately his patch has never made it to the official upstream project (it seems).

Once /usr/share/perl5/Net/SNMP was manually patched, the Net::SNMP scripts now support the newer SHA protocols:

$ ./check_nwc_health --hostname TARAGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
000001 lo
000002 Intel Corporation Ethernet Connection I354 2
000003 Intel Corporation Ethernet Connection I354 3
000004 Intel Corporation Ethernet Connection I354 4
000005 Intel Corporation Ethernet Connection I354 5
000006 Intel Corporation I211 Gigabit Network Connection 6
000007 Intel Corporation I211 Gigabit Network Connection 7
000008 gre0
000009 gretap0
OK - have fun

For targets still using a SHA1 authentication protocol, the parameter --authprotocol sha1 (instead of just sha) must be used after the patch.

Download patched USM.pm

To make this easier for (probably) a lot of people, you can download the patched USM.pm here.

Enjoy.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder