snmpusm.1.def
上传用户:wxp200602
上传日期:2007-10-30
资源大小:4028k
文件大小:7k
- .TH SNMPUSM 1 "08 Feb 2002" VVERSIONINFO "Net-SNMP"
- .UC 4
- .SH NAME
- snmpusm - creates and maintains SNMPv3 users on a network entity
- .SH SYNOPSIS
- .B snmpusm
- [COMMON OPTIONS]
- .B create
- USER [CLONEFROM-USER]
- .br
- .B snmpusm
- [COMMON OPTIONS]
- .B delete
- USER
- .br
- .B snmpusm
- [COMMON OPTIONS]
- .B cloneFrom
- USER CLONEFROM-USER
- .br
- .B snmpusm
- [COMMON OPTIONS] [-Ca] [-Cx]
- .B passwd
- OLD-PASSPHRASE NEW-PASSPHRASE [USER]
- .br
- .B snmpusm
- [COMMON OPTIONS] <-Ca | -Cx> -Ck
- .B passwd
- OLD-LOCALIZED-KEY NEW-PASSPHRASE [USER]
- .br
- .B snmpusm
- [COMMON OPTIONS] [-Ca] [-Cx]
- .B changekey [USER]
- .SH DESCRIPTION
- .B snmpusm
- is an SNMP application that can be used to do simple maintenance on
- the users known to an SNMP agent, by manipulating the agent's
- User-based Security Module (USM) table. The user needs
- write access to the usmUserTable MIB table. This tool can be
- used to create, delete, clone, and change the passphrase of users
- configured on a running SNMP agent.
- .SH OPTIONS
- .TP
- .BI -Ca
- Change the authentication key.
- .TP
- .BI -Cx
- Change the privacy key.
- .TP
- .BI -Ck
- Use old localized key instead of old passphrase. When this option
- is used, either the -Ca or -Cx (but not both) option must also be used.
- .SH CREATING USERS
- .PP
- An unauthenticated SNMPv3 user can be created using the command
- .IP
- .B snmpusm
- create USER
- .PP
- This constructs an (inactive) entry in the usmUserTable,
- with no authentication or privacy settings.
- In principle, this user should be useable for 'noAuthNoPriv' requests,
- but in practise the Net-SNMP agent will not allow such an entry
- to be made active.
- .PP
- In order to activate this entry, it is necessary to "clone" an existing
- user, using the command
- .IP
- .B snmpusm
- cloneFrom USER CLONEFROM-USER
- .PP
- The USER entry then inherits the same authentication and privacy
- settings (including pass phrases) as the CLONEFROM user.
- .PP
- These two steps can be combined into one, by using the command
- .IP
- .B snmpusm
- create USER CLONEFROM-USER
- .PP
- The two forms of the
- .B create
- sub-command require that the user being created does not already exist.
- The
- .B cloneFrom
- sub-command requires that the user being cloned to
- .I does
- already exist.
- .PP
- Cloning is the only way to specify which authentication and privacy
- protocols to use for a given user, and it is only possible to do this
- once. Subsequent attempts to reclone onto the same user will appear
- to succeed, but will be silently ignored.
- This (somewhat unexpected) behaviour is mandated by the SNMPv3
- USM specifications (RFC 2474).
- To change the authentication and privacy settings for a given user,
- it is necessary to delete and recreate the user entry.
- This is
- .I not
- necessary for simply changing the pass phrases (see below).
- This means that the agent must be initialized with at least one
- user for each combination of authentication and privacy protocols.
- See the
- .I snmpd.conf(5)
- manual page for details of the
- .B createUser
- configuration directive.
- .SH DELETING USERS
- A user can be deleted from the usmUserTable using the command
- .IP
- .B snmpusm
- delete USER
- .SH CHANGING PASS PHRASES
- User profiles contain private keys that are never
- transmitted over the wire in clear text (regardless of whether the
- administration requests are encrypted or not).
- To change the secret key for a user, it is necessary to specify the
- user's old passphrase as well as the new one.
- This uses the command
- .IP
- .B snmpusm
- [-Ca] [-Cx] passwd OLD-PASSPHRASE NEW-PASSPHRASE [USER]
- .PP
- After cloning a new user entry from the appropriate template,
- you should immediately change the new user's passphrase.
- .PP
- If USER is not specified, this command will change the passphrase
- of the (SNMPv3) user issuing the command. If the -Ca or -Cx options
- are specified, then only the authentication or privacy keys are changed. If
- these options are not specified, then both the authentication and privacy keys
- are changed.
- .IP
- .B snmpusm
- [-Ca] [-Cx] changekey [USER]
- .PP
- This command changes the key in a perfect-forward-secrecy compliant
- way through a diffie-helman exchange. The remote agent must support
- the SNMP-USM-DH-OBJECTS-MIB for this command to work. The resulting
- keys are printed to the console and may be then set in future command
- invocations using the --defAuthLocalizedKey and --defPrivLocalizedKey
- options or in your snmp.conf file using the defAuthLocalizedKey and
- defPrivLocalizedKey keywords.
- .PP
- Note that since these keys are randomly generated based on a
- diffie helman exchange, they are no longer derived from a more easily
- typed password. They are, however, much more secure.
- .PP
- To change from a localized key back to a password, the following variant
- of the
- .B passwd
- sub-command is used:
- .IP
- .B snmpusm
- <-Ca | -Cx> -Ck passwd OLD-LOCALIZED-KEY NEW-PASSPHRASE [USER]
- .PP
- Either the -Ca or the -Cx option must be specified. The OLD-LOCALIZED-KEY
- parameter is the localized key that was printed out by the
- .B changekey
- sub-command.
- .SH EXAMPLES
- .PP
- Let's assume for our examples that the following VACM and USM
- configurations lines were in the snmpd.conf file for a Net-SNMP agent.
- These lines set up a default user called "initial" with the
- authentication passphrase "setup_passphrase" so that we can perform
- the initial setup of an agent:
- .PP
- .RS
- .nf
- # VACM configuration entries
- rwuser initial
- # lets add the new user we'll create too:
- rwuser wes
- # USM configuration entries
- createUser initial MD5 setup_passphrase DES
- .fi
- .RE
- .PP
- Note: the "initial" user's setup should be removed after creating a
- real user that you grant administrative privileges to (like the user
- "wes" we'll be creating in this example.
- .PP
- Note: passphrases must be 8 characters
- .I minimum
- in length.
- .SS Create a new user
- .PP
- snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase
- localhost create wes initial
- .IP
- Creates a new user, here named "wes" using the user "initial" to do
- it. "wes" is cloned from "initial" in the process, so he inherits
- that user's passphrase ("setup_passphrase").
- .SS Change the user's passphrase
- .PP
- snmpusm -v 3 -u wes -n "" -l authNoPriv -a MD5 -A setup_passphrase
- localhost passwd setup_passphrase new_passphrase
- .IP
- After creating the user "wes" with the same passphrase as the
- "initial" user, we need to change his passphrase for him. The above
- command changes it from "setup_passphrase", which was inherited from
- the initial user, to "new_passphrase".
- .SS Test the new user
- .PP
- snmpget -v 3 -u wes -n "" -l authNoPriv -a MD5 -A new_passphrase
- localhost sysUpTime.0
- .IP
- If the above commands were successful, this command should have
- properly performed an authenticated SNMPv3 GET request to the agent.
- .PP
- Now, go remove the vacm "group" snmpd.conf entry for the "initial"
- user and you have a valid user 'wes' that you can use for future
- transactions instead of initial.
- .SH WARNING
- Manipulating the usmUserTable using this command can
- .I only
- be done using SNMPv3.
- This command will not work with the community-based versions,
- even if they have write access to the table.
- .SH "SEE ALSO"
- snmpd.conf(5), snmp.conf(5), RFC 2574