README.snmpv3 - vendor/opensource/netsnmp - Git at Google

 How to setup SNMPv3, a very brief document for Dave to elaborate and
 do a better job on since I suck and he doesn't ;-):

 First, there are 3 users that exist in the agent already:

   initial:  something to start with, but probably shouldn't be used in
             production use.

   templateMD5:
   templateSHA:
             These users are generic MD5 and SHA authentication users
             (with DES where appropriate) that can be cloned from to
             create new users.

 First off, you need to add snmpd.conf VACM entries to allow you to do
 something to allow you to create new users using an existing one
 (which will actually work with v1 and v2c, of course, but lets use v3
 here):

   group local   any        initial
   view all    included  .1                               80
   access local   ""      any       auth    0      all    all   all

 As long as we're here, lets add:

   group local   any        wes

 Note: these entries should only exist while you'red doing setup!

 Also, you need to set the initial user's password in your snmpd.conf
 file.  Again, this entry shouldn't exist after you create your first
 user, because then you can use that instead. (the * is a wildcard for
 the engineID, which doesn't really need to be specified in 99% of the cases).

   userSetAuthPass initial * setup_password

 Now, you have a user "initial" which can write to everything using MD5
 authentication if the above 4 lines are in place.  Also add a line(s)
 to add a password for templateMD5 and templateSHA (only templaceMD5
 used here):

   userSetAuthPass templateMD5 * initial_MD5_pass

 Note: passwords must be 8 characters minimum in length.

 Start the agent.

 Unfortunately, you need to specify the EngineID on the command line of
 snmpusm still (it should be able to figure this out from a probe,
 sigh).  Fix me.

   ./snmpwalk -v 3 -u initial -n none -l authNoPriv -a MD5 -A setup_password localhost snmpEngineID
   .iso.org.dod.internet.snmpV2.snmpModules.snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineID.0 =  Hex: 80 00 07 E5 01 A8 96 BE 01

 Therefore, the EngineID=800007e501a896be01

 Create a new user, here named "wes" using "initial".  He's cloned from
 templateMD5 in the process, so he inherits that users pasword.:

 snmpusm -e 800007e501a896be01 -E 800007e501a896be01 -v 3 -u initial -n none -l authNoPriv -a MD5 -A setup_password localhost create wes templateMD5

 Now, unfortunately, this used to work and recent changes have made it
 either stop working or segfault, depending on how many times I run it.
 Both the app and the agent have segfaulted on me.  Sometimes...  I
 haven't figured out what's going wrong in my few minutes of poking
 around.

 However, the above should have created the user "wes" with the same
 password as the templateMD5 user.  So then, you need to change his
 password using:

 snmpusm -e 800007e501a896be01 -E 800007e501a896be01 -v 3 -u wes -n none -l authNoPriv -a MD5 -A initial_MD5_pass localhost passwd -O initial_MD5_pass -N new_passphrase

 See, wasn't that easy?

 Now, go remove the vacm entries for initial and you have a valid user 'wes'
 that you can use for future transactions instead of initial.

 The information is all stored in /var/ucd-snmp/snmpd.conf, in the form
 of configuration lines, when the agent is shut down.  Note that I
 think this file is currently world readable, which is very very wrong
 and we need to change this in snmplib/read_config.c.

 Ugg.  Have fun?
	How to setup SNMPv3, a very brief document for Dave to elaborate and
	do a better job on since I suck and he doesn't ;-):

	First, there are 3 users that exist in the agent already:

	initial: something to start with, but probably shouldn't be used in
	production use.

	templateMD5:
	templateSHA:
	These users are generic MD5 and SHA authentication users
	(with DES where appropriate) that can be cloned from to
	create new users.

	First off, you need to add snmpd.conf VACM entries to allow you to do
	something to allow you to create new users using an existing one
	(which will actually work with v1 and v2c, of course, but lets use v3
	here):

	group local any initial
	view all included .1 80
	access local "" any auth 0 all all all

	As long as we're here, lets add:

	group local any wes

	Note: these entries should only exist while you'red doing setup!

	Also, you need to set the initial user's password in your snmpd.conf
	file. Again, this entry shouldn't exist after you create your first
	user, because then you can use that instead. (the * is a wildcard for
	the engineID, which doesn't really need to be specified in 99% of the cases).

	userSetAuthPass initial * setup_password

	Now, you have a user "initial" which can write to everything using MD5
	authentication if the above 4 lines are in place. Also add a line(s)
	to add a password for templateMD5 and templateSHA (only templaceMD5
	used here):

	userSetAuthPass templateMD5 * initial_MD5_pass

	Note: passwords must be 8 characters minimum in length.

	Start the agent.

	Unfortunately, you need to specify the EngineID on the command line of
	snmpusm still (it should be able to figure this out from a probe,
	sigh). Fix me.

	./snmpwalk -v 3 -u initial -n none -l authNoPriv -a MD5 -A setup_password localhost snmpEngineID
	.iso.org.dod.internet.snmpV2.snmpModules.snmpFrameworkMIB.snmpFrameworkMIBObjects.snmpEngine.snmpEngineID.0 = Hex: 80 00 07 E5 01 A8 96 BE 01

	Therefore, the EngineID=800007e501a896be01

	Create a new user, here named "wes" using "initial". He's cloned from
	templateMD5 in the process, so he inherits that users pasword.:

	snmpusm -e 800007e501a896be01 -E 800007e501a896be01 -v 3 -u initial -n none -l authNoPriv -a MD5 -A setup_password localhost create wes templateMD5

	Now, unfortunately, this used to work and recent changes have made it
	either stop working or segfault, depending on how many times I run it.
	Both the app and the agent have segfaulted on me. Sometimes... I
	haven't figured out what's going wrong in my few minutes of poking
	around.

	However, the above should have created the user "wes" with the same
	password as the templateMD5 user. So then, you need to change his
	password using:

	snmpusm -e 800007e501a896be01 -E 800007e501a896be01 -v 3 -u wes -n none -l authNoPriv -a MD5 -A initial_MD5_pass localhost passwd -O initial_MD5_pass -N new_passphrase

	See, wasn't that easy?

	Now, go remove the vacm entries for initial and you have a valid user 'wes'
	that you can use for future transactions instead of initial.

	The information is all stored in /var/ucd-snmp/snmpd.conf, in the form
	of configuration lines, when the agent is shut down. Note that I
	think this file is currently world readable, which is very very wrong
	and we need to change this in snmplib/read_config.c.

	Ugg. Have fun?