Google Git
Sign in
gfiber / vendor / opensource / netsnmp / 107bf7312d4365420da2a357ac0e0eeb07afa902 / . / README.snmpv3
blob: ab56d9dd24a820d76ca0424ae3292428ebb3f030 [file] [log] [blame]
How to setup SNMPv3, a very brief document for Dave to elaborate and
do a better job on since I suck and he doesn't ;-) --Wes:
Note: Currently only MD5 support for authentication is available for
snmpv3. SHA support is coming shortly. Also, due to U.S. export
restrictions, which I haven't figured out how to handle yet,
encryption support is not possible at this time.
First, there are 3 users that exist in the agent already:
initial: something to start with, but probably shouldn't be used in
production use.
templateMD5:
templateSHA:
These users are generic MD5 and SHA authentication users
(with DES where appropriate) that can be cloned from to
create new users.
First off, you need to add snmpd.conf VACM entries to allow you to do
something to allow you to create new users using an existing one
(which will actually work with v1 and v2c, of course, but lets use v3
authenticated requests only here):
group local any initial
view all included .1 80
access local "" any auth 0 all all all
Note: these entries should only exist while you'red doing setup!
As long as we're here, lets add (which will be needed on a more
permanent basis):
group local any wes
Also, you need to set the initial user's password in your snmpd.conf
file. Again, this entry shouldn't exist after you create your first
user, because then you can use that instead. (the * is a wildcard for
the engineID, which doesn't really need to be specified in 99% of the cases).
userSetAuthPass initial * setup_password
Now, you have a user "initial" which can write to everything using MD5
authentication if the above 4 lines are in place. Also add a line(s)
to add a password for templateMD5 and templateSHA (only templaceMD5
used here):
userSetAuthPass templateMD5 * initial_MD5_pass
Note: passwords (passphrases really) must be 8 characters minimum in length.
Start the agent.
Create a new user, here named "wes" using the user "initial" to do it.
"wes" is cloned from templateMD5 in the process, so he inherits that
users pasword.:
snmpusm -v 3 -u initial -n none -l authNoPriv -a MD5 -A setup_password localhost create wes templateMD5
The above should have created the user "wes" with the same password as
the templateMD5 user. So then, you need to change his password using:
snmpusm -v 3 -u wes -n none -l authNoPriv -a MD5 -A initial_MD5_pass localhost passwd -O initial_MD5_pass -N new_passphrase -a
See, wasn't that easy?
Now, test it:
snmpget -v 3 -u wes -n none -l authNoPriv -a MD5 -A new_passphrase localhost sysUpTime.0
Now, go remove the vacm "group" snmpd.conf entry for the "initial"
user and you have a valid user 'wes' that you can use for future
transactions instead of initial.
The information about the newly created user is stored in
/var/ucd-snmp/snmpd.conf, in the form of configuration lines, when the
agent is shut down so that it is usable in next run in the future.
Note that I think this file is currently world readable, which is very
very wrong and we need to change this in snmplib/read_config.c.
Also note that the passkeys stored in /var/ucd-snmp/snmpd.conf are
locked to a given engineID, which by default is based off of your IPv4
address. This means that:
1) You can't copy/rdist the /var/ucd-snmp/snmpd.conf around. (unless
you put a indentical "engineID" configuration lines in all your
snmpd.conf files).
2) If you change the IP address of your machine and you're using the
default mechanism, your entire user database needs to be
re-created. whee.
Tired of all those command line options?
----------------------------------------
put this in your ~/.snmp/snmp.conf file:
defSecurityName wes
defContext none
defAuthType MD5
defSecurityLevel authNoPriv
defPassphrase new_passphrase
And then the above line boils down to:
snmpget -v 3 localhost sysUpTime.0
Ugg. Have fun?