Ad Widget

Collapse

SNMPv3 - Unsupported authentication protocol

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jose Garcia
    Junior Member
    • Apr 2022
    • 9
    #1

    SNMPv3 - Unsupported authentication protocol

    Hello everyone.

    I found a problem when using SNMPv3 in Zabbix 6.

    The problem seems to be that the SNMP interface does not support strong encryption authentication protocols.

    I have searched for information, like:The installation of Zabbix has been done from the repositories, following the instructions in the Zabbix download section (<https://www.zabbix.com/download?zabbix=6.0&os_distribution=debian&os_vers ion=11_bullseye&db=postgresql&ws=nginx>).

    My install is:
    • Operating system
      • Debian 11.3
      • No local firewall installed
    • Zabbix
      • zabbix-agent2 1:6.0.3-1+debian11
      • zabbix-frontend-php 1:6.0.3-1+debian11
      • zabbix-nginx-conf 1:6.0.3-1+debian11
      • zabbix-release 1:6.0-1+debian11
      • zabbix-server-pgsql 1:6.0.3-1+debian11
      • zabbix-sql-scripts 1:6.0.3-1+debian11
        • I have tried all versions (6.0.0, 6.0.1, 6.0.2 and 6.0.3). The same thing happens in all of them.
    • SNMP
      • libsnmp-base 5.9+dfsg-3
      • libsnmp40:amd64 5.9+dfsg-3+b1
      • snmpd 5.9+dfsg-3+b1
        • I understand that these SNMP versions already support strong encryption and it is not necessary to recompile any libraries as stated in ZBXNEXT-5718.
    I have also performed numerous tests with other operating systems (several versions of Ubuntu, Raspberry Pi OS, CentOS...) without success.

    My current installation is a single Zabbix 6 server that polls directly to a MikroTik device with SNMPv3, configured correctly (from the server a snmpwalk version 3 is performed without any problem, getting correct data), both are in the same LAN.

    Examples of the output in Zabbix when trying to polling the device are:

    AES192: Unsupported authentication protocol [2].
    AES256: Unsupported authentication protocol [3]
    AES192C: Unsupported authentication protocol [4]
    AES256C: Unsupported authentication protocol [5]

    DES and AES128 work correctly. Only the above encryption is affected.

    I have tried to query different devices (Cisco, MikroTik, Debian servers with SNMPv3...) without success.

    With Zabbix 5 there is no problem with SNMPv3.

    Has anyone else experienced this problem?
    Did I miss any important step in installing Zabbix 6 regarding SNMP?
    Is there any documentation on how to fix it?

    Thank you for your help.
    Attached Files
    Tags: None
    • Jose Garcia
      Junior Member
      • Apr 2022
      • 9
      #2
      Hello everyone.

      An update on the situation.

      Apparently, the problem is the snmpd package in Debian, (last version, v5.9.1), is compiled in the repository without the flag --enable-blumenthal-aes , which enables strong encryption protocols.

      More information can be found here:To try to fix the error, I run the following code (obtained from here <https://gist.github.com/TimRots/30d0fa3bed96370e57f509942f5050b2>):

      Code:
      #!/usr/bin/env bash

## compile net-snmp 5.9 with --enable-blumenthal-aes to enable AES-192/AES-256 (Blumenthal draft)
## Authentication support: MD5 SHA1 SHA224 SHA254 SHA256 SHA384 SHA512
## Encryption support: DES AES128 AES192 AES192C AES256 AES256C AES256C

apt update -y && apt upgrade -y file libperl-dev\
&& wget http://sourceforge.net/projects/net-snmp/files/net-snmp/5.9/net-snmp-5.9.tar.gz \N -y
&& tar xzvf net-snmp-5.9.tar.gz - && cd net-snmp-5.9.tar.gz
&& cd net-snmp-5.9 \N - && cd net-snmp-5.9.tar.gz
&& CC=gcc . /configure --disable-debugging --disable-manuals --enable-shared --enable-mini-agent --enable-ipv6 --without-rpm --disable-embedded-perl --without-perl-modules --enable-blumenthal- aes --with-default-snmp-version="3" --with-security-modules="usm" --with-sys-location="Unknown" --with-gnu-ld --prefix=/usr --with-logfile="/var/log/snmpd" --with-sys-contact="@@no. where" --with-persistent-directory="/var/net-snmp" \N-.
&& make -j$(nproc) && make install - && make install
&& cd ... \
&& rm -rf net-snmp-5.9 \N - & rm -f net-snmp-5.9
&& rm -f net-snmp-5.9.tar.gz \N - & rm -f net-snmp-5.9.tar.gz
&& rm -rf /var/lib/apt/lists
      But I get the following error:

      Blumenthal's draft requires OpenSSL with AES functions enabled

      More info here (line 416):Same error happens on Ubuntu v20.04.

      On both Debian (v11.3) and Ubuntu, I have the latest version of openssl (v1.1.1) installed.

      Any ideas?

        Comment

        • Jose Garcia
          Junior Member
          • Apr 2022
          • 9
          #3
          Hello everyone.

          I share the solution to solve the problem for Debian v11.3 and Zabbix v6 (using PostgreSQL as database and NGINX as frontend).

          All credit to Fernando Collado, who show me how to do it. I only share his solution.

          DON'T DO THIS IN YOUR PRODUCTION ENVIRONMENT!!!

          Install a fresh virtual machine with Debian v11.3 and get from there the .deb packages you will need.

          Let's start.

          As root, edit the file /etc/apt/sources.list and use the following repositories:

          Code:
          deb [arch=amd64] http://ftp.es.debian.org/debian/ bullseye main contrib non-free
deb-src [arch=amd64] http://ftp.es.debian.org/debian/ bullseye main contrib non-free

deb [arch=amd64] http://ftp.es.debian.org/debian/ bullseye-updates main contrib non-free
deb-src [arch=amd64] http://ftp.es.debian.org/debian/ bullseye-updates main contrib non-free

deb http://security.debian.org/debian-security/ bullseye-security main
deb-src http://security.debian.org/debian-security/ bullseye-security main

deb [arch=amd64] http://ftp.debian.org/debian bullseye-backports main
deb-src [arch=amd64] http://ftp.debian.org/debian bullseye-backports main
          Update and install "sudo":
          Code:
          apt-get update && apt-get install -y sudo
          Insert your unprivilege local user in "/etc/sudoers":

          Example:
          Code:
          user ALL=(ALL:ALL) ALL
          Exit root and from now use sudo to execute commands.

          Install this packages:

          Code:
          sudo apt-get install -y devscripts build-essential make gcc vim libwrap0-dev \
libssl-dev perl-xs-dev pkg-config libsensors-dev default-libmysqlclient-dev \
libpci-dev wget
          Add Zabbix v6 repositories:

          Code:
          wget https://repo.zabbix.com/zabbix/6.0/debian/pool/main/z/zabbix-release/zabbix-release_6.0-1+debian11_all.deb
sudo dpkg -i zabbix-release_6.0-1+debian11_all.deb
rm zabbix-release_6.0-1+debian11_all.deb
sudo apt-get update
          SUPER IMPORTANT STEP!!!
          Get the net-snmp packages FROM Debian repositories (NOT from the official website):

          Code:
          sudo apt-get source snmpd
cd net-snmp-5.9+dfsg
          Insert the line "--enable-blumenthal-aes \" into the file "debian/rules" like this (should be line 56):

          Code:
          --with-mysql \
--enable-blumenthal-aes \
--with-defaults
          Compile net-snmp v5.9 (it will take a while...):

          Code:
          sudo debuild -uc -us
          If everything went well, you should have the following .deb packages in your home directory:

          Code:
          cd .. ; ls -l
          libnetsnmptrapd40_5.9+dfsg-3_amd64.deb
          libnetsnmptrapd40-dbgsym_5.9+dfsg-3_amd64.deb
          libsnmp40_5.9+dfsg-3_amd64.deb
          libsnmp40-dbgsym_5.9+dfsg-3_amd64.deb
          libsnmp-base_5.9+dfsg-3_all.deb
          libsnmp-dev_5.9+dfsg-3_amd64.deb
          libsnmp-perl_5.9+dfsg-3_amd64.deb
          libsnmp-perl-dbgsym_5.9+dfsg-3_amd64.deb
          snmp_5.9+dfsg-3_amd64.deb
          snmpd_5.9+dfsg-3_amd64.deb
          snmp-dbgsym_5.9+dfsg-3_amd64.deb
          snmpd-dbgsym_5.9+dfsg-3_amd64.deb
          snmptrapd_5.9+dfsg-3_amd64.deb
          snmptrapd-dbgsym_5.9+dfsg-3_amd64.deb
          tkmib_5.9+dfsg-3_all.deb

          Install the new packages:

          Code:
          sudo dpkg -i \
libnetsnmptrapd40_5.9+dfsg-3_amd64.deb \
libsnmp40_5.9+dfsg-3_amd64.deb \
libsnmp-base_5.9+dfsg-3_all.deb \
libsnmp-dev_5.9+dfsg-3_amd64.deb \
libsnmp-perl_5.9+dfsg-3_amd64.deb \
snmp_5.9+dfsg-3_amd64.deb \
snmpd_5.9+dfsg-3_amd64.deb \
snmptrapd_5.9+dfsg-3_amd64.deb \
tkmib_5.9+dfsg-3_all.deb
          Some dependecies will be broken, so:

          Code:
          sudo apt-get install -y -f
          Finally, compile Zabbix with the new packages (be sure your are downloading Zabbix v6.0.3):

          Code:
          sudo apt-get source zabbix
cd zabbix-6.0.3
sudo apt-get build-dep zabbix
          Again, let's wait some time until it finish, it should be fast this time.

          Do the following:

          Code:
          sudo apt-get install -y libmodbus-dev golang-1.17
sudo ln -s /usr/lib/go-1.17/bin/go /usr/bin
sudo debuild -uc -us
          Once again, let's wail until it compiles...

          When finished, you should have the following Zabbix .deb packages:

          zabbix-agent2_6.0.3-1+debian11_amd64.deb
          zabbix-agent2-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-agent_6.0.3-1+debian11_amd64.deb
          zabbix-agent-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-apache-conf_6.0.3-1+debian11_all.deb
          zabbix-frontend-php_6.0.3-1+debian11_all.deb
          zabbix-get_6.0.3-1+debian11_amd64.deb
          zabbix-get-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-java-gateway_6.0.3-1+debian11_all.deb
          zabbix-js_6.0.3-1+debian11_amd64.deb
          zabbix-js-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-nginx-conf_6.0.3-1+debian11_all.deb
          zabbix-proxy-mysql_6.0.3-1+debian11_amd64.deb
          zabbix-proxy-mysql-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-proxy-pgsql_6.0.3-1+debian11_amd64.deb
          zabbix-proxy-pgsql-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-proxy-sqlite3_6.0.3-1+debian11_amd64.deb
          zabbix-proxy-sqlite3-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-sender_6.0.3-1+debian11_amd64.deb
          zabbix-sender-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-server-mysql_6.0.3-1+debian11_amd64.deb
          zabbix-server-mysql-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-server-pgsql_6.0.3-1+debian11_amd64.deb
          zabbix-server-pgsql-dbgsym_6.0.3-1+debian11_amd64.deb
          zabbix-sql-scripts_6.0.3-1+debian11_all.deb
          zabbix-web-service_6.0.3-1+debian11_amd64.deb

          That's your new Zabbix with SNMPv3 strong encryption support.

          Choose the packages you need for your production environment from the brand new net-snmp packages you compiled before (DO NOT INSTALL ANY net-snmp PACKAGES FROM DEBIAN REPOSITORIES NOW, IF ANY, PURGE IT).

          Remember, the packages are:

          libnetsnmptrapd40_5.9+dfsg-3_amd64.deb
          libsnmp40_5.9+dfsg-3_amd64.deb
          libsnmp-base_5.9+dfsg-3_all.deb
          libsnmp-dev_5.9+dfsg-3_amd64.deb
          libsnmp-perl_5.9+dfsg-3_amd64.deb
          snmp_5.9+dfsg-3_amd64.deb
          snmpd_5.9+dfsg-3_amd64.deb
          snmptrapd_5.9+dfsg-3_amd64.deb
          tkmib_5.9+dfsg-3_all.deb

          If you already had a running Zabbix v6 (probably you have if you are reading this), purge the net-snmp packages installed in your system, install the new ones you compiled and install the new Zabbix packages, too.
          All dependencies should be right, so it won't be a problem and you only need to restart your services to make it work.

          If Zabbix is not yet installed in your system, let's do it.

          For this example, you will need to install some of your new compiled packages:

          Code:
          sudo dpkg -i \
libnetsnmptrapd40_5.9+dfsg-3_amd64.deb \
libsnmp40_5.9+dfsg-3_amd64.deb \
libsnmp-base_5.9+dfsg-3_all.deb \
libsnmp-dev_5.9+dfsg-3_amd64.deb \
libsnmp-perl_5.9+dfsg-3_amd64.deb \
snmp_5.9+dfsg-3_amd64.deb \
snmpd_5.9+dfsg-3_amd64.deb \
snmptrapd_5.9+dfsg-3_amd64.deb \
tkmib_5.9+dfsg-3_all.deb \
zabbix-agent2_6.0.3-1+debian11_amd64.deb \
zabbix-frontend-php_6.0.3-1+debian11_all.deb \
zabbix-get_6.0.3-1+debian11_amd64.deb \
zabbix-nginx-conf_6.0.3-1+debian11_all.deb \
zabbix-sender_6.0.3-1+debian11_amd64.deb \
zabbix-server-pgsql_6.0.3-1+debian11_amd64.deb \
zabbix-sql-scripts_6.0.3-1+debian11_all.deb
          Fix dependecies (CAREFUL HERE, be sure no net-snmp packages from Debian repositories are being installed now and every needed package for Zabbix is listed, check it twice):
          Code:
          sudo apt-get install -f
          A problem occurs here, one necessary package is not installed automatically, so:
          Code:
          sudo apt-get install -y php7.4-pgsql
          Remember to install and create your PostgreSQL database and edit the Zabbix configuration files, too!

          Remove this file to access the configuration frontend:
          Code:
          sudo rm /etc/nginx/sites-enabled/default
          Start and enable services:
          Code:
          sudo systemctl start zabbix-server zabbix-agent2 nginx php7.4-fpm
sudo systemctl enable zabbix-server zabbix-agent2 nginx php7.4-fpm
          Access the Zabbix frontend and finish configuration.

          Finally, you should have support for strong encryption using SNMPv3.

          Hope this helps you!

            Comment

            Previous template Next
            Working...