|
Packit |
fcad23 |
README.snmpv3
|
|
Packit |
fcad23 |
-------------
|
|
Packit |
fcad23 |
How to setup SNMPv3, a very brief document for Dave to elaborate and
|
|
Packit |
fcad23 |
do a better job on since I suck at writing documentation and he
|
|
Packit |
fcad23 |
doesn't ;-) --Wes:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note: SHA authentication and DES/AES encryption support is only available
|
|
Packit |
fcad23 |
if you have OpenSSL installed or if you've compiled using
|
|
Packit |
fcad23 |
--with-openssl=internal. If you use --with-openssl=internal please
|
|
Packit |
fcad23 |
read the documentation in snmplib/openssl/README for important details.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note: encryption support now *is* enabled in the binary releases downloadable
|
|
Packit |
fcad23 |
from the net-snmp web site.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Note: this description assumes you're using the software compiled from
|
|
Packit |
fcad23 |
source, and so installed using the default prefix location (/usr/local).
|
|
Packit |
fcad23 |
If you're working with a vendor-provided system, or have configured
|
|
Packit |
fcad23 |
things with a different prefix, you'll need to adjust locations accordingly.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
CREATING THE FIRST USER:
|
|
Packit |
fcad23 |
------------------------
|
|
Packit |
fcad23 |
First, you need to create a new snmpv3 user and give them rights to
|
|
Packit |
fcad23 |
do things:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
net-snmp-config --create-snmpv3-user -a "my_password" myuser
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
WARNING: SNMPv3 pass phrases must be at least 8 characters long!
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The above line creates the user "myuser" with a password of
|
|
Packit |
fcad23 |
"my_password" (and uses MD5 and DES for protection). (Note that
|
|
Packit |
fcad23 |
encryption support isn't enabled in the binary releases downloadable
|
|
Packit |
fcad23 |
from the net-snmp web site.) net-snmp-config will also add a line
|
|
Packit |
fcad23 |
to your snmpd.conf file to let that user have read/write access to
|
|
Packit |
fcad23 |
your agent. You may want to change this in your snmpd.conf file
|
|
Packit |
fcad23 |
(see the snmpd.conf manual page). Run net-snmp-config --help for
|
|
Packit |
fcad23 |
more information about it.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Start the agent and test your setup:
|
|
Packit |
fcad23 |
/usr/local/sbin/snmpd
|
|
Packit |
fcad23 |
[...wait a few seconds... It will run in the background and
|
|
Packit |
fcad23 |
return you to your shell immediately.]
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpget -v 3 -u myuser -l authNoPriv -a MD5 -A my_password localhost sysUpTime.0
|
|
Packit |
fcad23 |
[ this should return information about how long your agent has been up]
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpget -v 3 -u myuser -l authPriv -a MD5 -A my_password
|
|
Packit |
fcad23 |
-x DES -X my_password localhost sysUpTime.0
|
|
Packit |
fcad23 |
[ this should return similar information, but encrypts the transmission ]
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
CREATING A SECOND USER:
|
|
Packit |
fcad23 |
-----------------------
|
|
Packit |
fcad23 |
Start the agent (if you didn't do so above).
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
You can create as many users as you like using the above method, but
|
|
Packit |
fcad23 |
this details another way of doing it while the agent is running by
|
|
Packit |
fcad23 |
modifying the user database using the snmp protocol itself:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Now, lets create a second user using the first user (just for fun)
|
|
Packit |
fcad23 |
for both authentication purposes and as a template (or "cloning
|
|
Packit |
fcad23 |
source"):
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpusm -v 3 -u myuser -l authNoPriv -a MD5 -A my_password localhost create wes myuser
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
The above should have created the user "wes" with the same password as
|
|
Packit |
fcad23 |
the "myuser" user. So then, you need to change his password using:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpusm -v 3 -u wes -l authNoPriv -a MD5 -A my_password localhost passwd my_password new_passphrase
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
See, wasn't that easy? You can now create users. Wheeee....
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
But, you'll have to add a configuration line that allows them access
|
|
Packit |
fcad23 |
to do things. Do this with another "rwuser" line in your
|
|
Packit |
fcad23 |
/usr/local/share/snmp/snmpd.conf file (you'll need to stop and start
|
|
Packit |
fcad23 |
the agent again, or send the agent a SIGHUP signal):
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
rwuser wes
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Or, optional use the "rouser" token instead of the "rwuser" token to
|
|
Packit |
fcad23 |
only grant them read-only access.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Now, test your new user:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpget -v 3 -u wes -l authNoPriv -a MD5 -A new_passphrase localhost sysUpTime.0
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
FURTHER STUDIES:
|
|
Packit |
fcad23 |
---------------
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Tired of all those command line authentication options?
|
|
Packit |
fcad23 |
----------------------------------------
|
|
Packit |
fcad23 |
put something like this in your $HOME/.snmp/snmp.conf file (make it
|
|
Packit |
fcad23 |
readable only by you!!!):
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
defSecurityName wes
|
|
Packit |
fcad23 |
defContext ""
|
|
Packit |
fcad23 |
defAuthType MD5
|
|
Packit |
fcad23 |
defSecurityLevel authNoPriv
|
|
Packit |
fcad23 |
defAuthPassphrase new_passphrase
|
|
Packit |
fcad23 |
defVersion 3
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
And this is in place the last of the above example lines boils down to:
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
snmpget localhost sysUpTime.0
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
Which is about as simple as I can make it for ya ;-)
|