- create and maintain SNMPv3 users on a remote entity
snmpusm [common options] AGENT create user [clonefrom-user]
snmpusm [common options] AGENT delete user
snmpusm [common options] AGENT cloneFrom user clonefrom-user
snmpusm [common options] [-Co] [-Ca] [-Cx] AGENT passwd old-passphrase new-passphrase
The snmpusm utility is an SNMP application that can be used to do simple maintenance on an SNMP agent's User-based Security Module (USM) table. The user needs write access to the usmUserTable MIB table. You can create, delete, clone, and change the passphrase of users configured on a running SNMP agent.
The SNMPv3 USM specifications (see RFC 3414) dictate that users are created and maintained by adding and modifying rows to the usmUserTable MIB table. To create a new user you simply create the row using snmpset(1M). User's profiles contain private keys that are never transmitted over the wire in clear text, regardless of whether the administration requests are encrypted.
The secret key for a user is initially set by cloning another user in the table, so that a new user inherits the cloned user's secret key. A user can be cloned only once, however, after which they must be deleted and re-created to be re-cloned. The authentication and privacy security types are also inherited during this cloning (for example, MD5 vs. SHA1). To change the secret key for a user, you must know the user's old passphrase as well as the new one. The passwd subcommand of the snmpusm command requires both the new and the old passphrases be supplied. After cloning from the appropriate template, you should immediately change the new user's passphrase.
The Net-SNMP agent must first be initialized so that at least one user is setup in it before you can use this command to clone new ones. See the snmpd.conf(4) manual page for a description of the createUser configuration parameter.
Passphrases must be a minimum of eight characters in length.
See snmpcmd(1M) for a description of common options.
Assume for our examples that the following VACM and USM configurations lines are in the snmpd.conf file for a Net-SNMP agent. These lines set up a default user named initial with the authentication passphrase setup_passphrase. Establishing these parameters enables the initial setup of an agent.
# VACM configuration entries rwuser initial # The name of the new user that is going to be created rwuser wes # USM configuration entries createUser initial MD5 setup_passphrase DES
Note that the initial user's setup should be removed after creating a real user to whom you grant administrative privileges. The real user is wes in this example.
Example 1 Creating a New User
The following command creates a new user, wes, which is cloned from initial. wes inherits that user's passphrase, setup_passphrase.
# snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase \ localhost create wes initial
Example 2 Changing the User's Passphrase
After creating the user wes with the same passphrase as the user initial, we need to change his passphrase for wes. The following command changes it from setup_passphrase, which was inherited from initial, to new_passphrase.
# snmpusm -v 3 -u wes -n "" -l authNoPriv -a MD5 -A setup_passphrase \ localhost passwd setup_passphrase new_passphrase
Example 3 Testing the New User
If the preceding commands were successful, the following command should perform an authenticated SNMPv3 GET request to the agent.
# snmpget -v 3 -u wes -n "" -l authNoPriv -a MD5 -A new_passphrase \ localhost sysUpTime.0
Following a successful test, remove the VACM group snmpd.conf entry for the user initial. At this point, you have a valid user wes that you can use for future transactions.
A usage syntax error. A usage message is displayed. Also used for timeout errors.
An error occurred while executing the command. An error message is displayed.
See attributes(5) for descriptions of the following attributes: