-- extracted from draft-ietf-isms-secshell-01.txt -- at Fri Feb 10 06:15:01 2006 SSHSM-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, mib-2, Counter32, Integer32 FROM SNMPv2-SMI TestAndIncr, AutonomousType FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF snmpAuthProtocols, snmpPrivProtocols, SnmpAdminString, SnmpSecurityLevel, SnmpEngineID FROM SNMP-FRAMEWORK-MIB TransportAddress, TransportAddressType FROM TRANSPORT-ADDRESS-MIB ; sshsmMIB MODULE-IDENTITY LAST-UPDATED "200509020000Z" ORGANIZATION "ISMS Working Group" CONTACT-INFO "WG-EMail: isms@lists.ietf.org Subscribe: isms-request@lists.ietf.org Chairs: Juergen Quittek NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69115 Heidelberg Germany +49 6221 90511-15 quittek@netlab.nec.de Juergen Schoenwaelder International University Bremen Campus Ring 1 28725 Bremen Germany +49 421 200-3587 j.schoenwaelder@iu-bremen.de Co-editors: David Harrington Effective Software 50 Harding Rd Portsmouth, New Hampshire 03801 USA +1 603-436-8634 ietfdbh@comcast.net Joseph Salowey Cisco Systems 2901 3rd Ave Seattle, WA 98121 USA jsalowey@cisco.com " DESCRIPTION "The Secure Shell Security Model MIB Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC XXXX; see the RFC itself for full legal notices. -- NOTE to RFC editor: replace XXXX with actual RFC number -- for this document and remove this note " REVISION "200509020000Z" -- 02 September 2005 DESCRIPTION "The initial version, published in RFC XXXX. -- NOTE to RFC editor: replace XXXX with actual RFC number -- for this document and remove this note " ::= { mib-2 xxxx } -- RFC Ed.: replace xxxx with IANA-assigned number and -- remove this note -- ---------------------------------------------------------- -- -- subtrees in the SSHSM-MIB -- ---------------------------------------------------------- -- sshsmNotifications OBJECT IDENTIFIER ::= { sshsmMIB 0 } sshsmObjects OBJECT IDENTIFIER ::= { sshsmMIB 1 } sshsmConformance OBJECT IDENTIFIER ::= { sshsmMIB 2 } -- ------------------------------------------------------------- -- Objects -- ------------------------------------------------------------- -- Identification of Authentication and Privacy Protocols -- [todo] I think these are not protocols, but mechanisms, and it -- may be inappropriate to list them here sshsmPasswordAuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Secure Shell Password Authentication Method" REFERENCE "RFC 4252" ::= { snmpAuthProtocols 4 } sshsmPublickeyAuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Secure Shell Public Key Authentication Method" REFERENCE "RFC 4252" ::= { snmpAuthProtocols 5 } sshsmHostbasedAuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Secure Shell Host-based Authentication Method" REFERENCE "RFC 4252" ::= { snmpAuthProtocols 6 } sshsmRADIUSAuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The RADIUS Authentication Method" REFERENCE "RFC 2865" ::= { snmpAuthProtocols 7 } sshsmAESPrivProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The AES Encryption Protocol." ::= { snmpPrivProtocols 5 } -- Statistics for the Secure Shell Security Model sshsmStats OBJECT IDENTIFIER ::= { sshsmObjects 1 } -- [todo] do we need any of these? or other stats? sshsmStatsUnsupportedSecLevels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the SNMP engine which were dropped because they requested a securityLevel that was unknown to the SNMP engine or otherwise unavailable. [todo] we should never hit any of these because they should never be sent by the remote SNMP engine if an appropriate session does not exist. We also do not know what was requested by the remote session. " ::= { sshsmStats 1 } sshsmStatsUnknownUserNames OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the SNMP engine which were dropped because they referenced a user that was not known to the SNMP engine. discuss] In SSHSM, we do no preconfiguration, so we don't know any users. If authentication is based on principals defined in the SSH authentication, if the user is not known, they cannot be authenticated, so they wouldn't reach the SNMP engine (assuming we don't permit noAuthNoPriv over SSH. " ::= { sshsmStats 3 } sshsmStatsUnknownEngineIDs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the SNMP engine which were dropped because they referenced an snmpEngineID that was not known to the SNMP engine. [todo] We don't use the engineID during authentication, encryption, or integrity checking, so there is never an error condition related to unknown securityEngineID. (But check the SNMPv3 dependency on knowing the securityEngineID.) " ::= { sshsmStats 4 } -- The sshsmSession Group sshsmSession OBJECT IDENTIFIER ::= { sshsmObjects 2 } sshsmSessionSpinLock OBJECT-TYPE SYNTAX TestAndIncr MAX-ACCESS read-write STATUS current DESCRIPTION "An advisory lock used to allow several cooperating Command Generator Applications to coordinate their use of facilities to create sessions in the usmUserTable. " ::= { sshsmSession 1 } sshsmSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF SshsmSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of currently available sessions configured in the SNMP engine's Local Configuration Datastore (LCD). Sessions are created as needed, and do not persist across network management system reboots. " ::= { sshsmSession 2 } sshsmSessionEntry OBJECT-TYPE SYNTAX SshsmSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A session configured in the SNMP engine's Local Configuration Datastore (LCD) for the Secure Shell Security Model. " INDEX { sshsmSessionID } ::= { sshsmSessionTable 1 } SshsmSessionEntry ::= SEQUENCE { sshsmSessionID Integer32, sshsmSessionTransport TransportAddressType, sshsmSessionAddress TransportAddress, sshsmSessionUserName SnmpAdminString, sshsmSessionSecurityName SnmpAdminString, sshsmSessionSecurityLevel SnmpSecurityLevel, sshsmSessionAuthProtocol AutonomousType, sshsmSessionPrivProtocol AutonomousType, sshsmSessionEngineID SnmpEngineID } sshsmSessionID OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A locally-unique identifier for a session. " ::= { sshsmSessionEntry 1 } sshsmSessionTransport OBJECT-TYPE SYNTAX TransportAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The transport domain associated with this session. " ::= { sshsmSessionEntry 2 } sshsmSessionAddress OBJECT-TYPE SYNTAX TransportAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The transport address associated with this session. " ::= { sshsmSessionEntry 3 } sshsmSessionUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A human readable string representing the principal in Security Model dependent format, such as the the user name used in the SSH-USERAUTH-REQUEST message for a successful authentication. " ::= { sshsmSessionEntry 4 } sshsmSessionSecurityName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A human readable string representing the principal in Security Model independent format. The default transformation of the Secure Shell Security Model dependent security ID to the securityName and vice versa is the identity function so that the securityName is the same as the SSH user name. " ::= { sshsmSessionEntry 5 } sshsmSessionSecurityLevel OBJECT-TYPE SYNTAX SnmpSecurityLevel MAX-ACCESS read-only STATUS current DESCRIPTION "The Level of Security at which SNMP messages can be sent using this session, in particular, one of: noAuthNoPriv - without authentication and without privacy, authNoPriv - with authentication but without privacy, authPriv - with authentication and with privacy. " DEFVAL { authPriv } ::= { sshsmSessionEntry 6 } sshsmSessionAuthProtocol OBJECT-TYPE SYNTAX AutonomousType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of authentication protocol used by the SSH session associated with this SSHSM session. " ::= { sshsmSessionEntry 7 } sshsmSessionPrivProtocol OBJECT-TYPE SYNTAX AutonomousType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of encryption protocol used by the SSH session associated with this SSHSM session. " ::= { sshsmSessionEntry 8 } sshsmSessionEngineID OBJECT-TYPE SYNTAX SnmpEngineID MAX-ACCESS read-only STATUS current DESCRIPTION "The administratively-unique identifier for the remote SNMP engine associated with this session. " ::= { sshsmSessionEntry 9 } -- ------------------------------------------------------------- -- sshsmMIB - Conformance Information -- ------------------------------------------------------------- sshsmGroups OBJECT IDENTIFIER ::= { sshsmConformance 1 } sshsmCompliances OBJECT IDENTIFIER ::= { sshsmConformance 2 } -- ------------------------------------------------------------- -- Units of conformance -- ------------------------------------------------------------- sshsmGroup OBJECT-GROUP OBJECTS { sshsmStatsUnsupportedSecLevels, sshsmStatsUnknownUserNames, sshsmStatsUnknownEngineIDs, sshsmSessionTransport, sshsmSessionAddress, sshsmSessionUserName, sshsmSessionSecurityName, sshsmSessionSecurityLevel, sshsmSessionAuthProtocol, sshsmSessionPrivProtocol, sshsmSessionEngineID, sshsmSessionPrivProtocol, sshsmSessionSpinLock } STATUS current DESCRIPTION "A collection of objects for maintaining session information of an SNMP engine which implements the SNMP Secure Shell Security Model. " ::= { sshsmGroups 2 } -- ------------------------------------------------------------- -- Compliance statements -- ------------------------------------------------------------- sshsmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines that support the SSHSM-MIB" MODULE MANDATORY-GROUPS { sshsmGroup } ::= { sshsmCompliances 1 } END -- -- Copyright (C) The Internet Society (2006). -- -- This document is subject to the rights, licenses and restrictions -- contained in BCP 78, and except as set forth therein, the authors -- retain all their rights. -- -- This document and the information contained herein are provided on an -- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS -- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET -- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, -- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE -- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED -- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -- -- -- Intellectual Property -- -- The IETF takes no position regarding the validity or scope of any -- Intellectual Property Rights or other rights that might be claimed to -- pertain to the implementation or use of the technology described in -- this document or the extent to which any license under such rights -- might or might not be available; nor does it represent that it has -- made any independent effort to identify any such rights. Information -- on the procedures with respect to rights in RFC documents can be -- found in BCP 78 and BCP 79. -- -- Copies of IPR disclosures made to the IETF Secretariat and any -- assurances of licenses to be made available, or the result of an -- attempt made to obtain a general license or permission for the use of -- such proprietary rights by implementers or users of this -- specification can be obtained from the IETF on-line IPR repository at -- http://www.ietf.org/ipr. -- -- The IETF invites any interested party to bring to its attention any -- copyrights, patents or patent applications, or other proprietary -- rights that may cover technology that may be required to implement -- this standard. Please address the information to the IETF at -- ietf-ipr@ietf.org. -- --