We got this error when running this command :
[cacti ~]$ snmpwalk -v 3 -a MD5 -u super -x AES -X AAAAAA 10.X.X.X
2011-01-20 16:58:12 Error: passphrase chosen is below the length requirements of the USM (min=8).
2011-01-20 16:58:12 snmpwalk: (The supplied password length is too short.)
Error generating a key (Ku) from the supplied privacy pass phrase.
Do you have any idea how to decrease the USM's length parameter? We can't change the password that is under 8 characters..
You are fighting the IETF RFC if you insist using a short passphrase,
https://www.rfc-editor.org/rfc/rfc3414
If the Appendix A algorithm is used, SNMP implementations (and SNMP
configuration applications) must ensure that passwords are at least 8
characters in length.
This is a standard, so your only choice is to use a long enough passphrase.
For AES, the recommended passphrase length is 12,
http://www.ietf.org/rfc/rfc3826.txt
The following are recommended in regard to user passwords:
Password length SHOULD be at least 12 octets.
Password sharing SHOULD be prohibited so that passwords are not
shared among multiple SNMP users.
Implementations SHOULD support the use of randomly generated
passwords as a stronger form of security.
Related
Hope you all are doing well.
I am trying to set parameters like passphrase and latency in srt url. But, i need to know whether while setting passphrase parameter, is it necessary to set pbkeylen value also? If yes, then what is purpose of pbkeylen parameter in passphrase? or what is role in that srt url of pbkeylen?
Thank you.
As described in the documentation, pbkeylen defines the key size used for the AES encryption. It is independent of the passphrase.
It is not necessary to set it - it will default to 16 bytes (128 bit), or whatever the other end of the connection sends in the handshake if it has been set there.
I'm working with SNMP and was given a command to use. However, I'm trying to break it down into its components so I can understand if I need to change anything. I've found documentation on pretty much everything except for the last part.
The command has this structure:
snmpwalk -v 2c -c communityname address.com .1
From my understanding the meaning of this structure is:
snmpwalk - command
-v 2c - specifies that the version is 2c, options are 1, 2c, 3
-c communityname - specifies the community name, which is like a password to an extent
address.com - the address of the computer in question
.1 - What is this ? I can't seem to find much documentation on it.
man snmpwalk and snmpwalk -h should give you the info you need on the various parameters.
The .1 is the OID and it is an optional parameter to that command, and it pinpoints a point in the hierarchical SNMP MIB on the SNMP agent host. The walk will retrieve all OIDs "below" that point.
Have a read at http://www.net-snmp.org and get a SNMP book to learn about SNMP and MIBs and OIDs; but quoting from SNMP wikipedia article:
SNMP itself does not define which information (which variables) a
managed system should offer. Rather, SNMP uses an extensible design,
where the available information is defined by management information
bases (MIBs). MIBs describe the structure of the management data of a
device subsystem; they use a hierarchical namespace containing object
identifiers (OID). Each OID identifies a variable that can be read or
set via SNMP.
EDIT: Here is image to show the OID tree with ".1" i.e. ISO just below the root.
Recently I have been trying to save list of hostnames from captured DHCP packets. I have found out, every DHCP hostname (option 12) should have form defined in RFC 1035. So if I understand it correctly, hostname should be encoded in 7-bit ASCII and have other restrictions like:
- name should not start with digit and should omit some forbidden characters.
Almost every device I have encountered in packets fulfill this constraint, but not Windows devices (Vendor ID MSFT 5.0). IMHO Windows DHCP client takes computer (mobile) name and fill it in hostname option.
Problem occurs, when computer name is set for example to "Lukáš-PC". Wireshark display this hostname as Luk\240\347-PC. (240 and 347 are numbers in octal). To see for myself I have printed values in packets with printf("%hhu", c) (C language).
á = 160
š = 231
IMHO I think this is simple char variable overflow. I tried deduce original value from overflow value, but I haven't found any relation between character and known encodings. So my questions are:
Is there any way to convert these values back to original?
If yes, what was original character encoding, when overflow happened?
Thanks.
Default char is usually signed, and extends to int when passed to a variadic function. To ensure that it is printed unsigned, use printf("%hhu", c) or printf("%d", (unsigned char)c);.
The correct encoding is impossible to know because it depends on each system's settings.
Note that any compliant systems MUST encode names according to RFC 3490, but Windows seems to enjoy violating standards.
The characters á and š that you are seing are encoded using code page 852 (Latin-2 - Central European languages).
Unfortunately there is no simple way how you can figure out the encoding used only by looking at DHCP requests. In principle the DHCP client can use any code page it wants. If you are working in a private/controlled network, then it is probably safe to assume the all clients are using the same code page and explicitly encode the strings using that particular code page.
While reading RFC 4880 for OpenPGP, I read about version 3 and version 4 of OpenPGP keys. I do not understand what these versions mean other than specifying the packet format.
How can I find out a version of a key? I know for code we can use Bounce Castle's PGPPublicKey's getVersion(), but is there any command like keytool which I can use?
There is not a lot of difference between version 3 and 4 OpenPGP key packets, even the format is very similar. In version 4, the validity period was moved to special signatures, and fingerprint calculation changed. In detail, the changes (and formats) are described in OpenPGP, RFC 4880, 5.5.2. Public-Key Packet Formats. For signature packets, the differences are more significant.
To find the package version with readily-build tools, use gpg --list-packets or pgpdump, for example:
$ gpg --export a4ff2279 | gpg --list-packets
:public key packet:
version 4, algo 1, created 1356475387, expires 0
pkey[0]: [8192 bits]
pkey[1]: [17 bits]
keyid: 4E1F799AA4FF2279
[snip]
OpenPGP version 3 keys are deprecated for quite a while now, and rarely seen in usage.
How do I make a Batch (or C/C++) script (running a gpg command hundreds of times) that is able to simulate the following keyboard input (and being intelligent enough to wait for input to be asked)?
8↵
S↵E↵Q↵
4096↵
0↵y↵
Jean Dupont↵
↵
born 1970-01-01 in Paris, France↵
O↵
correct horse battery staple↵
correct horse battery staple↵
I would like to generate myself a PGP keypair (for private communication), but I wish for the key's short id to be easy to remember, like FFFFFFFE for example.
The short id of a PGP key is the last 8 characters of its fingerprint. For your information, the fingerprint of a PGP key is a checksum (historically, SHA-1).
My wishes for the generated PGP key are the following:
Its short id (see above) must be easy to remember.
I want my key to be “unusual” so I have to use --expert mode.
By default, a generated key can both encrypt (E) and sign other people’s keys (C, “cert”), but I want mine to only sign other people’s keys.
Okay. So, I guess my solution for getting a “custom” key id is to generate lots of them (beware, I believe global entropy gets very diminished if you do that), and choose the one that I like most (like when your phone provider allows you to choose your future phone number in a list).
What I tried
By reading that page in the doc, I thought I could use gpg --batch --expert --gen-key gpg-keygen-settings.txt, with the following settings file:
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Name-Real: Jean Dupont
Name-Comment: born 1970-01-01 in Paris, France
Expire-Date: 0
Passphrase: correct horse battery staple
%commit
%echo Done.
BUT it will not let me create a key whose usage is only to sign other people’s keys (cert). Indeed, the documentation says (for Key-Usage) that “Allowed values are ‘encrypt’, ‘sign’, and ‘auth’”. cert is the default, but using a blank Key-Usage field doesn’t work either.
What I believe I must do
I think the only way for me to generate all those keys with the settings I want, there is no solution but simulating key generation as if a real person was interactively running GPG’ shell.
Here is an excerpt of what must be done:
C:\> gpg --gen-key --expert
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
[…]
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh#duesseldorf.de>"
Real name: […]
[…]
So, uh.
Thank you very much.
Weird request, I know. Chuckles
Well, I didn’t find the solution I was looking for (something I could make run in background, not buggy, etc.)—and I am still open, for my personal culture, to better solutions and answers.
Anyway, here is the AutoHotkey script I came up with. Very dirty. I coded a bit, then gave up and used the AutoScriptWriter tool to record a macro, and adapted the code to suit my needs (haha). The most annoying thing was to learn how to interact with GPG-Agent (pinentry).
Loop 100
{
Run, cmd.exe /k "gpg --expert --gen-key"
WinWait, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
IfWinNotActive, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key, , WinActivate, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
WinWaitActive, C:\Windows\SYSTEM32\cmd.exe - gpg --expert --gen-key,
Sleep 1500
Send +8{Enter}
Send S{Enter}C{Enter}Q{Enter}
Send +4+0+9+6{Enter}
Send +0{Enter}o{Enter}
Send Jean Dupont{Enter}
Send {Enter}
Send born {Shift Down}1970{Shift Up}6{Shift Down}01{Shift Up}6{Shift Down}01{Shift Up} in Paris, France{Enter}O{Enter}
; The "6" keypress above is to make a - on French AZERTY keyboards.
WinWait, pinentry,
IfWinNotActive, pinentry, , WinActivate, pinentry,
WinWaitActive, pinentry,
Send, correct horse battery staple{ENTER}
Sleep 1500
Send, correct horse battery staple{ENTER}
Sleep 10000
;Send exit{Enter}
}
This little script allowed me to get a bucketload of keys, one of which having a short id I like.