How to use Perl Net::SNMP v3 authentication with newer SHA (SHA256, SHA512) protocols

Written by - 0 comments

Published on - Listed in Perl Monitoring Linux


A couple of months ago I wrote about a SNMP monitoring problem on Checkpoint firewalls after a Gaia OS upgrade to R81.xx. Long story short: The problem occurred because the monitoring plugin, check_nwc_health, uses Perl's Net-SNMP module. As this Perl module hasn't been (officially) updated in a very long time, it only supports MD5 or SHA(1) protocols for authentication.

When someone wants to use a Perl script with Net::SNMP and tries to connect using a newer SHA protocol (here sha256), the Perl script bails out with an error of an unknown protocol:

$ ./check_nwc_health --hostname TARGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
CRITICAL - cannot create session object: The authProtocol "sha256" is unknown

Where are the SNMP authentication protocols defined?

To understand where this error comes from, one needs to take a closer look into the Net::SNMP Perl module. In most Linux distributions this can be installed as a package from the official repositories. On Debian and Ubuntu machines, the package is libnet-snmp-perl.

After this package is installed, the Net::SNMP module can usually be found in /usr/share/perl5/Net/SNMP.

ck@mmint:/usr/share/perl5/Net/SNMP$ ls -la
total 164
drwxr-xr-x 4 root root  4096 Apr  8 14:33 ./
drwxr-xr-x 7 root root  4096 Apr  8 14:33 ../
-rw-r--r-- 1 root root 18397 Jan 27  2019 Dispatcher.pm
-rw-r--r-- 1 root root 51840 Jan 27  2019 Message.pm
-rw-r--r-- 1 root root 13514 Jan 27  2019 MessageProcessing.pm
-rw-r--r-- 1 root root 26880 Jan 27  2019 PDU.pm
drwxr-xr-x 2 root root  4096 Apr  8 14:33 Security/
-rw-r--r-- 1 root root  5651 Jan 27  2019 Security.pm
drwxr-xr-x 4 root root  4096 Apr  8 14:33 Transport/
-rw-r--r-- 1 root root 22787 Jan 27  2019 Transport.pm

Looking for that particular error message (The authprotocol "XXX" is unknown) results in one specific file:

admck@WM2856L:/usr/share/perl5/Net/SNMP$ egrep "The authprotocol .* is unknown" * -rni
Security/USM.pm:770:      return $this->_error('The authProtocol "%s" is unknown', $proto);
Security/USM.pm:1154:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1634:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1687:            'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1791:         'The authProtocol "%s" is unknown', $this->{_auth_protocol}

The USM.pm file is responsible for handling the different authentication protocols. And there are not many options:

admck@WM2856L:/usr/share/perl5/Net/SNMP$ grep "sub AUTH_PROTOCOL" Security/USM.pm
sub AUTH_PROTOCOL_NONE    { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
sub AUTH_PROTOCOL_HMACMD5 { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
sub AUTH_PROTOCOL_HMACSHA { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol

The official package only supports:

  • NoAuthProtocol
  • MD5AuthProtocol (md5)
  • SHAAuthProtocol (sha)

A patched USM.pm exists

Thanks to research and an additional comment from Gerhard Lausser (the creator and maintainer of check_nwc_health), there exists a manually patched version of USM.pm. The patch was mentioned in a OpenBSD mailing list and submitted by Martijn van Duren in August 2021. His modifications introduce additional SHA protocols (SHA224, SHA256, SHA384, SHA512) for authentication. Unfortunately his patch has never made it to the official upstream project (it seems).

Once /usr/share/perl5/Net/SNMP was manually patched, the Net::SNMP scripts now support the newer SHA protocols:

$ ./check_nwc_health --hostname TARAGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
000001 lo
000002 Intel Corporation Ethernet Connection I354 2
000003 Intel Corporation Ethernet Connection I354 3
000004 Intel Corporation Ethernet Connection I354 4
000005 Intel Corporation Ethernet Connection I354 5
000006 Intel Corporation I211 Gigabit Network Connection 6
000007 Intel Corporation I211 Gigabit Network Connection 7
000008 gre0
000009 gretap0
OK - have fun

For targets still using a SHA1 authentication protocol, the parameter --authprotocol sha1 (instead of just sha) must be used after the patch.

Download patched USM.pm

To make this easier for (probably) a lot of people, you can download the patched USM.pm here.

Enjoy.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

Blog Tags: