A couple of months ago I wrote about a SNMP monitoring problem on Checkpoint firewalls after a Gaia OS upgrade to R81.xx. Long story short: The problem occurred because the monitoring plugin, check_nwc_health, uses Perl's Net-SNMP module. As this Perl module hasn't been (officially) updated in a very long time, it only supports MD5 or SHA(1) protocols for authentication.
When someone wants to use a Perl script with Net::SNMP and tries to connect using a newer SHA protocol (here sha256), the Perl script bails out with an error of an unknown protocol:
$ ./check_nwc_health --hostname TARGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
CRITICAL - cannot create session object: The authProtocol "sha256" is unknown
To understand where this error comes from, one needs to take a closer look into the Net::SNMP Perl module. In most Linux distributions this can be installed as a package from the official repositories. On Debian and Ubuntu machines, the package is libnet-snmp-perl.
After this package is installed, the Net::SNMP module can usually be found in /usr/share/perl5/Net/SNMP.
ck@mmint:/usr/share/perl5/Net/SNMP$ ls -la
total 164
drwxr-xr-x 4 root root 4096 Apr 8 14:33 ./
drwxr-xr-x 7 root root 4096 Apr 8 14:33 ../
-rw-r--r-- 1 root root 18397 Jan 27 2019 Dispatcher.pm
-rw-r--r-- 1 root root 51840 Jan 27 2019 Message.pm
-rw-r--r-- 1 root root 13514 Jan 27 2019 MessageProcessing.pm
-rw-r--r-- 1 root root 26880 Jan 27 2019 PDU.pm
drwxr-xr-x 2 root root 4096 Apr 8 14:33 Security/
-rw-r--r-- 1 root root 5651 Jan 27 2019 Security.pm
drwxr-xr-x 4 root root 4096 Apr 8 14:33 Transport/
-rw-r--r-- 1 root root 22787 Jan 27 2019 Transport.pm
Looking for that particular error message (The authprotocol "XXX" is unknown) results in one specific file:
admck@WM2856L:/usr/share/perl5/Net/SNMP$ egrep "The authprotocol .* is unknown" * -rni
Security/USM.pm:770: return $this->_error('The authProtocol "%s" is unknown', $proto);
Security/USM.pm:1154: 'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1634: 'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1687: 'The authProtocol "%s" is unknown', $this->{_auth_protocol}
Security/USM.pm:1791: 'The authProtocol "%s" is unknown', $this->{_auth_protocol}
The USM.pm file is responsible for handling the different authentication protocols. And there are not many options:
admck@WM2856L:/usr/share/perl5/Net/SNMP$ grep "sub AUTH_PROTOCOL" Security/USM.pm
sub AUTH_PROTOCOL_NONE { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
sub AUTH_PROTOCOL_HMACMD5 { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
sub AUTH_PROTOCOL_HMACSHA { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol
The official package only supports:
Thanks to research and an additional comment from Gerhard Lausser (the creator and maintainer of check_nwc_health), there exists a manually patched version of USM.pm. The patch was mentioned in a OpenBSD mailing list and submitted by Martijn van Duren in August 2021. His modifications introduce additional SHA protocols (SHA224, SHA256, SHA384, SHA512) for authentication. Unfortunately his patch has never made it to the official upstream project (it seems).
Once /usr/share/perl5/Net/SNMP was manually patched, the Net::SNMP scripts now support the newer SHA protocols:
$ ./check_nwc_health --hostname TARAGET --protocol 3 --username nagios --authpassword secret --authprotocol sha256 --mode list-interfaces
000001 lo
000002 Intel Corporation Ethernet Connection I354 2
000003 Intel Corporation Ethernet Connection I354 3
000004 Intel Corporation Ethernet Connection I354 4
000005 Intel Corporation Ethernet Connection I354 5
000006 Intel Corporation I211 Gigabit Network Connection 6
000007 Intel Corporation I211 Gigabit Network Connection 7
000008 gre0
000009 gretap0
OK - have fun
For targets still using a SHA1 authentication protocol, the parameter --authprotocol sha1 (instead of just sha) must be used after the patch.
To make this easier for (probably) a lot of people, you can download the patched USM.pm here.
Enjoy.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder