SNMPKEY(1) User Contributed Perl Documentation SNMPKEY(1)NAME
snmpkey - Create SNMPv3 security keys for the Net::SNMP module
SYNOPSIS
The "snmpkey" utility generates security keys based on a password and an authoritativeEngineID passed on the command line. This key can
then be used by the Net::SNMP module instead of the plain text password when creating SNMPv3 objects.
snmpkey <authProto> <password> <authEngineID> [<privProto> [<password>]]
DESCRIPTION
The User-based Security Model used by SNMPv3 defines an algorithm which "localizes" a plain text password to a specific
authoritativeEngineID using a one-way hash. This resulting key is used by the SNMP application instead of the plain text password for
security reasons.
The Net::SNMP module allows the user to either provide a plain text password or a localized key to the object constructor when configuring
authentication or privacy. The "snmpkey" utility can be used to generate the key to be used by the -authkey or -privkey named arguments
when they are passed to the Net::SNMP "session()" constructor.
The "snmpkey" utility requires at least three command line arguments. The first argument defines which hash algorithm to use when creating
the authKey. Either HMAC-MD5-96 or HMAC-SHA-96 can be specified with the string 'md5' or 'sha' respectively. This choice must match the
algorithm passed to the -authprotocol argument when creating the Net::SNMP object. The second argument is the plain text password that is
to be localized to create the authKey. The third required argument is the authoritativeEngineID of the remote SNMP engine associated with
the Net::SNMP argument -hostname. The authoritativeEngineID is to be entered as a hexadecimal string 10 to 64 characters (5 to 32 octets)
long and can be prefixed with an optional "0x".
The last two arguments are optional and can be used to determine how the privKey will be generated. By default, the fourth argument
assumes a value of 'des' corresponding to the default privacy protocol defined in the User-based Security Model. The Net::SNMP module
supports CBC-3DES-EDE and CFB128-AES-128 as alternatives to the default protocol CBC-DES. These protocols can be chosen by specifying the
string '3des' or 'aes' respectively. This choice must match the protocol passed to the -privprotocol argument when creating the Net::SNMP
object. The last argument can be used to specify the plain text password that is to be localized to create the privKey. If this argument
is not specified, the authKey password is used.
AUTHOR
David M. Town <dtown@cpan.org>
COPYRIGHT
Copyright (c) 2001-2005 David M. Town. All rights reserved. This program is free software; you may redistribute it and/or modify it under
the same terms as Perl itself.
SEE ALSO
Net::SNMP
perl v5.12.1 2010-07-05 SNMPKEY(1)
Check Out this Related Man Page
SNMPUSM(1) Net-SNMP SNMPUSM(1)NAME
snmpusm - creates and maintains SNMPv3 users on a remote entity.
SYNOPSIS
snmpusm [COMMON OPTIONS] create USER [CLONEFROM-USER]
snmpusm [COMMON OPTIONS] delete USER
snmpusm [COMMON OPTIONS] cloneFrom USER CLONEFROM-USER
snmpusm [COMMON OPTIONS] [-Co] [-Ca] [-Cx] passwd OLD-PASSPHRASE NEW-PASSPHRASE
DESCRIPTION
snmpusm is an SNMP application that can be used to do simple maintenance on a SNMP agent's User-based Security Module (USM) table. You can
create, delete, clone, and change the passphrase of users configured on a running SNMP agent.
The SNMPv3 USM specifications (see RFC2574) dictate that users are created and maintained by adding and modifying rows to the usmUserTable
MIB table. To create a new user you simply create the row using snmpset. User's profiles contain private keys that are never transmitted
over the wire in clear text (regardless of whether the administration requests are encrypted or not).
The secret key for a user is initially set by cloning another user in the table, so that a new user inherits the cloned user's secret key.
A user can only be cloned once, however, after which they must be deleted and re-created to be re-cloned. The authentication and privacy
security types are also inherited during this cloning (e.g., MD5 vs. SHA1). To change the secret key for a user, you must know the user's
old passphrase as well as the new one. The passwd sub-command of the snmpusm command, therefore, requires both the new and the old pass-
phrases to be supplied. After cloning from the appropriate template, you should immediately change the new users passphrase.
The Net-SNMP agent must first be initialized so that at least one user is setup in it before you can use this command to clone new ones.
See the snmpd.conf(5) manual page on the createUser configuration parameter.
EXAMPLES
Let's assume for our examples that the following VACM and USM configurations lines were in the snmpd.conf file for a Net-SNMP agent. These
lines set up a default user called "initial" with the authentication passphrase "setup_passphrase" so that we can perform the initial setup
of an agent:
# VACM configuration entries
rwuser initial
# lets add the new user we'll create too:
rwuser wes
# USM configuration entries
createUser initial MD5 setup_passphrase DES
Note: the "initial" user's setup should be removed after creating a real user that you grant administrative privileges to (like the user
"wes" we'll be creating in this example.
Note: passphrases must be 8 characters minimum in length.
Create a new user
snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create wes initial
Creates a new user, here named "wes" using the user "initial" to do it. "wes" is cloned from "initial" in the process, so he inher-
its that user's passphrase ("setup_passphrase").
Change the user's passphrase
snmpusm -v 3 -u wes -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost passwd setup_passphrase new_passphrase
After creating the user "wes" with the same passphrase as the "initial" user, we need to change his passphrase for him. The above
command changes it from "setup_passphrase", which was inherited from the initial user, to "new_passphrase".
Test the new user
snmpget -v 3 -u wes -n "" -l authNoPriv -a MD5 -A new_passphrase localhost sysUpTime.0
If the above commands were successful, this command should have properly performed an authenticated SNMPv3 GET request to the agent.
Now, go remove the vacm "group" snmpd.conf entry for the "initial" user and you have a valid user 'wes' that you can use for future trans-
actions instead of initial.
SEE ALSO snmpd.conf(5), snmp.conf(5), RFC 2574
4th Berkeley Distribution 08 Feb 2002 SNMPUSM(1)