Google Git
Sign in
gfiber / vendor / opensource / netsnmp / 15e6324ae64c3820aacfc5d0d634cc64068d811a / . / README.snmpv3
blob: e0d9d1e9aa01ca1138150be525b76affd8b91b68 [file] [log] [blame]
How to setup SNMPv3, a very brief document for Dave to elaborate and
do a better job on since I suck at writing documentation and he
doesn't ;-) --Wes:
Note: SHA authentication and DES encryption support is only available
if you have OpenSSL installed.
CREATING THE FIRST USER:
First, you need to run snmpd to create a new user. To do this, you
want it to create the user and then immediately quit. So, run it as
follows (this only works in net-snmp 5.0 and up, by the way):
snmpd --createUser="myuser MD5 my_password DES" --quit
WARNING: SNMPv3 pass phrases must be at least 8 characters long!
The above line creates the user "myuser" with a password of
"my_password" (and uses MD5 and DES for protection). You can
optionally add a second pass phrase after the DES keyword if you
want the encryption password to be different from the authentication
pass phrase. (Note that encryption support isn't enabled in the
binary releases downloadable from the net-snmp web site.)
First off, you need to add snmpd.conf VACM entries to allow you to
use the SNMPv3 users you are going to create. to do this run the
following command:
snmpconf -G access_control
and answer it's questions. Make sure you answer it's questions
about adding access rights for the v3 user you created above.
Basically, snmpconf will end up creating a configuration file you'll
have to install (and it'll tell you where to install it). If you
can't get snmpconf working, just put a line like "rwuser myuser" in
your /usr/local/share/snmp/snmpd.conf file (you may have to create
it). That's all snmpconf will do for you anyway.
Start the agent and test your setup:
/usr/local/sbin/snmpd
[...wait a few seconds... It will run in the background and
return you to your shell immediately.]
snmpget -v 3 -u myuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
[ this should return information about how long your agent has been up]
snmpget -v 3 -u myuser -l authPriv -a MD5 -A my_password localhost sysUpTime.0
[ this should return similar information, but encrypts the transmission ]
CREATING A SECOND USER:
Start the agent (if you didn't do so above).
Now, lets create a second user using the first user (just for fun)
for both authentication purposes and as a template (or "cloning
source"):
snmpusm -v 3 -u myuser -l authNoPriv -a MD5 -A my_password localhost create wes myuser
The above should have created the user "wes" with the same password as
the "myuser" user. So then, you need to change his password using:
snmpusm -v 3 -u wes -l authNoPriv -a MD5 -A my_password localhost passwd my_password new_passphrase
See, wasn't that easy? You can now create users. Wheeee....
But, you'll have to add a configuration line that allows them access
to do things. Do this with another "rwuser" line in your
/usr/local/share/snmp/snmpd.conf file (you'll need to stop and start
the agent again, or send the agent a SIGHUP signal):
rwuser wes
Or, optional use the "rouser" token instead of the "rwuser" token to
only grant them read-only access.
Now, test your new user:
snmpget -v 3 -u wes -l authNoPriv -a MD5 -A new_passphrase localhost sysUpTime.0
FURTHER STUDIES:
The converted passwords are stored in /var/net-snmp/snmpd.conf and
are locked to a given engineID, which is different from machine to
machine. This means that you can't copy/rdist the
/var/net-snmp/snmpd.conf around.
Tired of all those command line options?
----------------------------------------
put something like this in your $HOME/.snmp/snmp.conf file (make it
readable only by you!!!):
defSecurityName wes
defContext ""
defAuthType MD5
defSecurityLevel authNoPriv
defAuthPassphrase new_passphrase
defVersion 3
And this is in place the last of the above example lines boils down to:
snmpget localhost sysUpTime.0
Which is about as simple as I can make it for ya ;-)