AES256 support for SNMP

AldarisPale · 24 February 2020 14:27

Please add AES256 support, because some of devices do not support AES128.
Please note that net-snmp gained AES256 (in addition to stronger ciphers) as of version 5.8 (http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption)

One device which supports AES256 and DES, but not AES128, is Kyocera Command Center RX (https://www.kyoceradocumentsolutions.com/asia/en/products/software/business-application/command-center-rx.html), which is a management module for many, many Kyocera MFP’s.

Hans_Erasmus · 27 July 2020 06:37

I have a similar request. I have manually altered the database to allow for sha-256 to test one of my devices, and it seems to work fine. So my question is, how hard will it be to get this functionality fully supported? Some vendors are dropping any other form of SNMP support (due to them seeing some things as security risks) and will have SNMPv3 with SHA-x as minimum from here on forward.

Luis_H · 29 July 2020 20:21

Hans, I would also like to use aes256, can you share the steps you followed to alter the database to allow sha256 to function, it would be nice to have a workaround that everyone can implement until librenms gets updated.

Hans_Erasmus · 30 July 2020 11:41

Hi @Luis_H

I see it is a privacy protocol. Here is a PR I submitted to allow for SHA-x stuff. Unfortunately I did not allow for the privacy protocol stuff. Will hear what the devs say, what I need to do.

github.com/librenms/librenms

Added new authalgo support for SNMPv3

librenms:master ← hanserasmus:snmpv3-extend

opened 09:47AM - 28 Jul 20 UTC

hanserasmus

+98 -12

Some manufacturers are moving towards SNMPv3 where SHA-224/256/384/512 is the mi…nimum allowed. These devices cannot be supported in LibreNMS at the moment. Trying to add support for it. ### Caveats There are 2 conditions that need to be met for these capabilities to work (both need to be met): - net-snmp 5.8 minimum - openssl 1.1 minimum It seems that these two packages are the standard installs on ~~**Ubuntu 18.04**~~ **Ubuntu 20.04** and**CentOS8**. **EDIT**: Ubuntu 18.04.4 with standard repositories only supports up to snmp 5.7.3. However, in the install documentation Ubuntu 20.04 is the Ubuntu version of choice and according to [this](https://packages.ubuntu.com/search?keywords=snmp) site 5.8 is the default for Ubuntu 20.04. Maybe a test when the user clicks on any of the new settings to verify that these two packages are on the correct versions? DO NOT DELETE THE UNDERLYING TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) - [ ] If my Pull Request does some changes/fixes/enhancements in the WebUI, I have inserted a screenshot of it. #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.

Hans_Erasmus · 31 July 2020 08:31

I have added the AES crypto algorithms now as well. Thanks to @SourceDoctor actually. So you should thank him. We are just waiting for reviewers and input. So if you would help test, that would also be great?