From: Gregory (Grisha) Trubetskoy (grisha_at_ispol.com)
Date: Fri 04 Jun 2004 - 15:15:31 BST
IMHO snmp is very complex by design and as a consequence of that is a
significant security threat. If I was a potential customer of your and you
insisted that I must run snmpd in my server, I'd balk.
There are probably ways to accomplish anything you do via snmp by other
means. E.g. to count bits in and out, I found that using iptables (as
described in Paul Sladen's Vserver FAQ) works great.
As to handling authentication, it's not hard to verify the user's password
against the hash in their passwd file. Here is the source for a little
program that we use:
You give this program one argument, the root of the vserver, pipe
"userid:password" to its stdin, and its exit code will tell you whether
the credentials are satisfied. It has to be a setuid program if you're
going to be running it from a webserver (which I'm assuming isn't running
On Fri, 4 Jun 2004, Dennis Roos wrote:
> I've been working on a webbased vserver administration application
> and I've been thinking about a way to run certain tasks on the host
> machine. The tasks involve: stopping/starting the vserver, deploying
> (in my case using rsync) new vservers and configs.
> I started on an implementation with a php based daemon, but that
> would mean I'd have to handle authentication, implement a protocol,
> calling various sub-applications from the daemon, etc.
> This gave me a lot of headaches :)
> At the moment I am monitoring our vserver installations using SNMP
> and started thinking of the idea of using the SNMP daemon I have
> already running as a full management daemon. This would simplify a
> lot from my end, but the end user (people running vserver
> environments) would have to install snmp on their servers, which, I
> can imagine, causes security risks not everyone is willing to take.
> To make a long story short, I am wondering if someone else
> considers using SNMP is a worthwile approach, or perhaps people
> have different ideas ?
> Dennis Roos
> Network Engineer
> InTouch N.V.
> Middenweg 76
> 1097 BS Amsterdam
> Tel: +31 (0)20 6752060
> Fax: +31 (0)20 6758429
> Vserver mailing list
Vserver mailing list