28
is an SNMP application that can be used to do simple maintenance on a
29
SNMP agent's User-based Security Module (USM) table. The user needs
30
write access to the usmUserTable MIB table. You can create,
31
delete, clone, and change the passphrase of users configured on a
34
The SNMPv3 USM specifications (see RFC2574) dictate that users are
35
created and maintained by adding and modifying rows to the
36
usmUserTable MIB table. To create a new user you simply create the
39
User's profiles contain private keys that are never
28
is an SNMP application that can be used to do simple maintenance on
29
the users known to an SNMP agent, by manipulating the agent's
30
User-based Security Module (USM) table. The user needs
31
write access to the usmUserTable MIB table. This tool can be
32
used to create, delete, clone, and change the passphrase of users
33
configured on a running SNMP agent.
37
An unauthenticated SNMPv3 user can be created using the command
42
This constructs an (inactive) entry in the usmUserTable,
43
with no authentication or privacy settings.
44
In principle, this user should be useable for 'noAuthNoPriv' requests,
45
but in practise the Net-SNMP agent will not allow such an entry
49
In order to activate this entry, it is necessary to "clone" an existing
50
user, using the command
53
cloneFrom USER CLONEFROM-USER
55
The USER entry then inherits the same authentication and privacy
56
settings (including pass phrases) as the CLONEFROM user.
59
These two steps can be combined into one, by using the command
62
create USER CLONEFROM-USER
67
sub-command require that the user being created does not already exist.
70
sub-command requires that the user being cloned to
75
Cloning is the only way to specify which authentication and privacy
76
protocols to use for a given user, and it is only possible to do this
77
once. Subsequent attempts to reclone onto the same user will appear
78
to succeed, but will be silently ignored.
79
This (somewhat unexpected) behaviour is mandated by the SNMPv3
80
USM specifications (RFC 2474).
81
To change the authentication and privacy settings for a given user,
82
it is necessary to delete and recreate the user entry.
85
necessary for simply changing the pass phrases (see below).
86
This means that the agent must be initialized with at least one
87
user for each combination of authentication and privacy protocols.
90
manual page for details of the
92
configuration directive.
95
A user can be deleted from the usmUserTable using the command
100
.SH CHANGING PASS PHRASES
101
User profiles contain private keys that are never
40
102
transmitted over the wire in clear text (regardless of whether the
41
103
administration requests are encrypted or not).
43
The secret key for a user is initially set by cloning another user in
44
the table, so that a new user inherits the cloned user's secret key.
45
A user can only be cloned once, however, after which they must be
46
deleted and re-created to be re-cloned. The authentication and
47
privacy security types are also inherited during this cloning (e.g.,
48
MD5 vs. SHA1). To change the secret key for a user, you must know the
49
user's old passphrase as well as the new one. The
104
To change the secret key for a user, it is necessary to specify the
105
user's old passphrase as well as the new one.
106
This uses the command
53
command, therefore, requires both the new and the old
54
pass-phrases to be supplied. After cloning from the appropriate
55
template, you should immediately change the new users passphrase.
57
The Net-SNMP agent must first be initialized so that at least one user
58
is setup in it before you can use this command to clone new ones. See the
62
configuration parameter.
109
passwd OLD-PASSPHRASE NEW-PASSPHRASE
112
After cloning a new user entry from the appropriate template,
113
you should immediately change the new user's passphrase.
116
This command will only change the passphrase of the (SNMPv3) user
117
issuing the command. It is not possible to change the passphrases
118
for other user entries, even given suitable write access.
65
122
Let's assume for our examples that the following VACM and USM
added
removed
man/snmpusm.1.def
