From 38de49ca30aab29ea51438b27cb50135eaa6e700 Mon Sep 17 00:00:00 2001 From: Jellyfrog Date: Wed, 10 Feb 2021 14:57:12 +0100 Subject: [PATCH] Correct check for SNMPv3 SHA-192/256 compability (#12494) * Correct check for SNMPv3 SHA-192/256 compability * fixup * fixup --- doc/Support/FAQ.md | 17 ++++++++------- includes/common.php | 13 ++++++++---- includes/html/pages/addhost.inc.php | 22 ++++++++++---------- includes/html/pages/device/edit/snmp.inc.php | 22 ++++++++++---------- 4 files changed, 40 insertions(+), 34 deletions(-) diff --git a/doc/Support/FAQ.md b/doc/Support/FAQ.md index 8ca0831fb7..cf6fe40981 100644 --- a/doc/Support/FAQ.md +++ b/doc/Support/FAQ.md @@ -66,7 +66,7 @@ You have two options for adding a new device into LibreNMS. to the directory of your LibreNMS install and typing (be sure to put the correct details). -```ssh +```bash ./addhost.php [community] [v1|v2c] [port] [udp|udp6|tcp|tcp6] ``` @@ -318,7 +318,7 @@ architecture then the following steps should be all that's needed: - and import it into your new server (`mysql -u root -p librenms < librenms.sql`). - Copy the `rrd/` folder to the new server. - Copy the `.env` and `config.php` files to the new server. -- Check for modified files (eg specific os, ...) with `git status` and +- Check for modified files (eg specific os, ...) with `git status` and migrate them. - Ensure ownership of the copied files and folders (substitute your user if necessary) - `chown -R librenms:librenms /opt/librenms` @@ -369,7 +369,7 @@ adding to /etc/snmp/snmpd.conf : ## What does mean \"ignore alert tag\" on device, component, service and port? Tag device, component, service and port to ignore alerts. Alert checks will still run. -However, ignore tag can be read in alert rules. For example on device, if `devices.ignore = 0` +However, ignore tag can be read in alert rules. For example on device, if `devices.ignore = 0` or `macros.device = 1` condition is is set and ignore alert tag is on, the alert rule won't match. The alert rule is ignored. @@ -601,17 +601,17 @@ To view a prediction: You should now see a linear prediction line on the graph. ## How do I move only the DB to another server? -There is already a reference how to move your whole LNMS installation to another server. But the following steps will help you to split up an "All-in-one" installation to one LibreNMS installation with a separate database install. +There is already a reference how to move your whole LNMS installation to another server. But the following steps will help you to split up an "All-in-one" installation to one LibreNMS installation with a separate database install. *Note: This section assumes you have a MySQL/MariaDB instance - Stop the apache and mysql service in you LibreNMS installation. -- Edit out all the cron entries in `/etc/cron.d/librenms`. +- Edit out all the cron entries in `/etc/cron.d/librenms`. - Dump your `librenms`database on your current install by issuing `mysqldump librenms -u root -p > librenms.sql`. - Stop and disable the MySQL server on your current install. - On your new server make sure you create a new database with the standard install command, no need to add a user for localhost though. - Copy this over to your new database server and import it with `mysql -u root -p librenms < librenms.sql`. - Enter to mysql and add permissions with the following two commands: -``` +```sql GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'IP_OF_YOUR_LNMS_SERVER' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'FQDN_OF_YOUR_LNMS_SERVER' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION; FLUSH PRIVILEGES; @@ -619,7 +619,8 @@ exit; ``` - Enable and restart MySQL server. - Edit your `config.php` file to point the install to the new database server location. -- **Very important**: On your LibreNMS server, inside your install directory is a `.env` file, in it you need to edit the `DBHOST` paramater to point to your new server location. +- **Very important**: On your LibreNMS server, inside your install directory is a `.env` file, in it you need to edit the `DBHOST` paramater to point to your new server location. - After all this is done, enable all the cron entries again and start apache. ## What are the "optional requirements message" when I add SNMPv3 devices? -When you add a device via the WebUI you may see a little message stating "Optional requirements are not met so some options are disabled". Do not panic. This simply means your system does not contain **openssl >= 1.1** and **net-snmp >= 5.8**, which are the minimum specifications needed to be able to use AES-192,AES-256 as crypto algorithms and SHA-224|256|384|512 as auth algorithms. +When you add a device via the WebUI you may see a little message stating "Optional requirements are not met so some options are disabled". Do not panic. This simply means your system does not contain **openssl >= 1.1** and **net-snmp >= 5.8**, which are the minimum specifications needed to be able to use SHA-224|256|384|512 as auth algorithms. +For crypto algorithms AES-192, AES-256 you need **net-snmp** compiled with `--enable-blumenthal-aes`. diff --git a/includes/common.php b/includes/common.php index e01ff80c84..58baf4135e 100644 --- a/includes/common.php +++ b/includes/common.php @@ -799,15 +799,20 @@ function version_info($remote = false) }//end version_info() /** - * checks if System is SNMPv3 SHA2 Capable for Auth Algorithms (SHA-224,SHA-256,SHA-384,SHA-512) - * @return bool + * Checks SNMPv3 capabilities + * + * SHA2 for Auth Algorithms (SHA-224,SHA-256,SHA-384,SHA-512) + * AES-192, AES-256 for Privacy Algorithms */ -function snmpv3_sha2_capable() +function snmpv3_capabilities(): array { $process = new Process([Config::get('snmpget', 'snmpget'), '--help']); $process->run(); - return Str::contains($process->getErrorOutput(), 'SHA-512'); + $ret['sha2'] = Str::contains($process->getErrorOutput(), 'SHA-512'); + $ret['aes256'] = Str::contains($process->getErrorOutput(), 'AES-256'); + + return $ret; } /** diff --git a/includes/html/pages/addhost.inc.php b/includes/html/pages/addhost.inc.php index 95648fb3a7..e463df0704 100644 --- a/includes/html/pages/addhost.inc.php +++ b/includes/html/pages/addhost.inc.php @@ -190,7 +190,7 @@ foreach (get_port_assoc_modes() as $mode) { echo " \n"; } -$snmpv3_sha2_capable = snmpv3_sha2_capable(); +['sha2' => $snmpv3_sha2, 'aes256' => $snmpv3_aes256] = snmpv3_capabilities(); ?> @@ -242,13 +242,13 @@ $snmpv3_sha2_capable = snmpv3_sha2_capable(); - - + + @@ -263,12 +263,12 @@ $snmpv3_sha2_capable = snmpv3_sha2_capable();
- - + +
diff --git a/includes/html/pages/device/edit/snmp.inc.php b/includes/html/pages/device/edit/snmp.inc.php index 8a11a35302..c66b6f5363 100644 --- a/includes/html/pages/device/edit/snmp.inc.php +++ b/includes/html/pages/device/edit/snmp.inc.php @@ -301,7 +301,7 @@ foreach (get_port_assoc_modes() as $pam_id => $pam) { echo ">$pam\n"; } -$snmpv3_sha2_capable = snmpv3_sha2_capable(); +['sha2' => $snmpv3_sha2, 'aes256' => $snmpv3_aes256] = snmpv3_capabilities(); echo " @@ -360,14 +360,14 @@ echo " '; -if (! $snmpv3_sha2_capable) { - echo ''; +if (! $snmpv3_sha2) { + echo ''; } echo " @@ -383,13 +383,13 @@ if (! $snmpv3_sha2_capable) {
"; -if (! $snmpv3_sha2_capable) { - echo ''; +if (! $snmpv3_aes256) { + echo ''; } echo '