.TH SNMPD 8 "30 Jun 2010" VVERSIONINFO "Net-SNMP"

.SH NAME

snmpd - daemon to respond to SNMP request packets.

.SH SYNOPSIS

.B snmpd

[OPTIONS] [LISTENING ADDRESSES]

.SH DESCRIPTION

.B snmpd

is an SNMP agent which binds to a port and awaits requests from

SNMP management software.  Upon receiving a request, it processes the

request(s), collects the requested information and/or performs the

requested operation(s) and returns the information to the sender.

.SH OPTIONS

.TP 8

.B \-a

Log the source addresses of incoming requests.

.TP

.B \-A

Append to the log file rather than truncating it.

.TP

.B "\-c" \fIFILE

Read 

.I FILE

as a configuration file

(or a comma-separated list of configuration files).  Note that the loaded

file will only understand snmpd.conf tokens, unless the configuration type

is specified in the file as described in the snmp_config man page under

SWITCHING CONFIGURATION TYPES IN MID-FILE.

.TP

.B \-C

Do not read any configuration files except the ones optionally specified by the 

.B \-c 

option.

Note that this behaviour also covers the persistent configuration files.

This may result in dynamically-assigned values being reset following an

agent restart, unless the relevant persistent config files are

explicitly loaded using the

.B \-c 

option.

.TP

.B \-d

Dump (in hexadecimal) the sent and received SNMP packets.

.TP

.B \-D\fI[TOKEN[,...]]

Turn on debugging output for the given

.IR "TOKEN" "(s)."

Without any tokens specified, it defaults to printing all the tokens

(which is equivalent to the keyword "ALL").

You might want to try

.IR ALL

for extremely verbose output.  Note: You can not put a space between

the \-D flag and the listed TOKENs.

.TP

.B \-f

Do not fork() from the calling shell.

.TP

.B \-g \fIGID

Change to the numerical group ID

.I GID

after opening listening sockets.

.TP

.B \-h, \-\-help

Display a brief usage message and then exit.

.TP

.B \-H

Display a list of configuration file directives understood by the

agent and then exit.

.TP

.B \-I \fI[\-]INITLIST

Specifies which modules should (or should not) be initialized

when the agent starts up.  If the comma-separated

.I INITLIST

is preceded

with a '\-', it is the list of modules that should \fInot\fR be started.

Otherwise this is the list of the \fIonly\fR modules that should be started.

To get a list of compiled modules, run the agent with the arguments

.I "\-Dmib_init \-H"

(assuming debugging support has been compiled in).

.TP

.B \-L[eEfFoOsSnN]

Specify where logging output should be directed (standard error or output,

to a file or via syslog).  See LOGGING OPTIONS in snmpcmd(1) for details.

.TP

.BR \-m " \fIMIBLIST"

Specifies a colon separated list of MIB modules to load for this

application.  This overrides the environment variable MIBS.

See \fIsnmpcmd(1)\fR for details.

.TP

.BR \-M " \fIDIRLIST"

Specifies a colon separated list of directories to search for MIBs.

This overrides the environment variable MIBDIRS.

See \fIsnmpcmd(1)\fR for details.

.TP

.B \-n \fINAME

Set an alternative application name (which will affect the

configuration files loaded).

By default this will be \fIsnmpd\fR, regardless of the name

of the actual binary.

.TP

.B \-p \fIFILE

Save the process ID of the daemon in

.IR FILE "."

.TP 

.B \-q

Print simpler output for easier automated parsing.

.TP

.B \-r

Do not require root access to run the daemon.  Specifically, do not exit

if files only accessible to root (such as /dev/kmem etc.) cannot be

opened.

.TP

.B \-u \fIUID

Change to the user ID

.I UID

(which can be given in numerical or textual form) after opening

listening sockets.

.TP

.B \-U

Instructs the agent to not remove its pid file (see the

.B \-p

option) on shutdown. Overrides the leave_pidfile token in the

.I snmpd.conf

file, see

.I snmpd.conf(5).

.TP

.B \-v, \-\-version

Print version information for the agent and then exit.

.TP

.B \-V

Symbolically dump SNMP transactions.

.TP

.B \-x \fIADDRESS

Listens for AgentX connections on the specified address

rather than the default AGENTX_SOCKET.

The address can either be a Unix domain socket path,

or the address of a network interface.  The format is the same as the

format of listening addresses described below.

.TP

.B \-X

Run as an AgentX subagent rather than as an SNMP master agent.

.TP

.BI \-\- "name"="value"

Allows one to specify any token ("name") supported in the

.I snmpd.conf

file and sets its value to "value". Overrides the corresponding token in the

.I snmpd.conf

file. See

.I snmpd.conf(5)

for the full list of tokens.

.SH LISTENING ADDRESSES

By default,

.B snmpd

listens for incoming SNMP requests on UDP port 161 on all IPv4 interfaces.

However, it is possible to modify this behaviour by specifying one or more

listening addresses as arguments to \fBsnmpd\fR.

A listening address takes the form:

.IP

[<transport-specifier>:]<transport-address>

.PP

At its simplest, a listening address may consist only of a port

number, in which case

.B snmpd

listens on that UDP port on all IPv4 interfaces.  Otherwise, the

<transport-address> part of the specification is parsed according to

the following table:

.RS 4

.TP 28

.BR "<transport-specifier>"

.BR "<transport-address> format"

.IP "udp \fI(default)\fR" 28

hostname[:port]

.I or

IPv4-address[:port]

.IP "tcp" 28

hostname[:port]

.I or

IPv4-address[:port]

.IP "unix" 28

pathname

.IP "ipx" 28

[network]:node[/port]

.TP 28 

.IR "" "aal5pvc " or " pvc"

[interface.][VPI.]VCI

.TP 28

.IR "" "udp6 " or " udpv6 " or " udpipv6"

hostname[:port]

.I or

IPv6-address[:port]

.TP 28

.IR "" "tcp6 " or " tcpv6 " or " tcpipv6"

hostname[:port]

.I or

IPv6-address[:port]

.TP 28

.IR "" "ssh"

hostname:port

.TP 28

.IR "" "dtlsudp"

hostname:port

.RE

.PP

Note that <transport-specifier> strings are case-insensitive so that,

for example, "tcp" and "TCP" are equivalent.  Here are some examples,

along with their interpretation:

.TP 24

.IR "127.0.0.1:161"

listen on UDP port 161, but only on the loopback interface.  This

prevents

.B snmpd

being queried remotely.  The  port specification ":161" is

not strictly necessary since that is the default SNMP port.

.TP 24

.IR "TCP:1161"

listen on TCP port 1161 on all IPv4 interfaces.

.TP 24

.IR "ipx:/40000"

listen on IPX port 40000 on all IPX interfaces.

.TP 24

.IR "unix:/tmp/local\-agent"

listen on the Unix domain socket \fI/tmp/local\-agent\fR.

.TP 24

.IR "/tmp/local\-agent"

is identical to the previous specification, since the Unix domain is

assumed if the first character of the <transport-address> is '/'.

.TP 24

.IR "PVC:161"

listen on the AAL5 permanent virtual circuit with VPI=0 and VCI=161

(decimal) on the first ATM adapter in the machine.

.TP 24

.IR "udp6:10161"

listen on port 10161 on all IPv6 interfaces.

.TP 24

.IR "ssh:127.0.0.1:22"

Allows connections from the snmp subsystem on the ssh server on port

22.  The details of using SNMP over SSH are defined below.

.TP 24

.IR "dtlsudp:127.0.0.1:9161"

Listen for connections over DTLS on UDP port 9161.  The snmp.conf file

must have the

.IR serverCert,

configuration tokens defined.

.PP

Note that not all the transport domains listed above will always be

available; for instance, hosts with no IPv6 support will not be able

to use udp6 transport addresses, and attempts to do so will result in

the error "Error opening specified endpoint".  Likewise, since AAL5

PVC support is only currently available on Linux, it will fail with

the same error on other platforms.

.SH Transport Specific Notes

.RS 0

.TP 8

ssh

The SSH transport, on the server side, is actually just a unix

named pipe that can be connected to via a ssh subsystem configured in

the main ssh server.  The pipe location (configurable with the

sshtosnmpsocket token in snmp.conf) is

.I /var/net\-snmp/sshtosnmp.

Packets should be submitted to it via the sshtosnmp application, which

also sends the user ID as well when starting the connection.  The TSM

security model should be used when packets should process it.

.IP

The

.I sshtosnmp

command knows how to connect to this pipe and talk to

it.  It should be configured in the

.IR "OpenSSH sshd"

configuration file (which is normally

.IR "/etc/ssh/sshd_config"

using the following configuration line:

.TP 8

.IP

Subsystem snmp /usr/local/bin/sshtosnmp

.IP

The

.I sshtosnmp

command will need read/write access to the 

.I /var/net\-snmp/sshtosnmp

pipe.  Although it should be fairly safe to grant access to the

average user since it still requires modifications to the ACM settings

before the user can perform operations, paranoid administrators may

want to make the /var/net\-snmp directory accessible only by users in a

particular group.  Use the

.I sshtosnmpsocketperms

snmp.conf configure option to set the permissions, owner and group of

the created socket.

.IP

Access control can be granted to the user "foo" using the following

style of simple snmpd.conf settings:

.TP 8

.IP

rouser \-s tsm foo authpriv

.IP

Note that "authpriv" is acceptable assuming as SSH protects everything

that way (assuming you have a non-insane setup).

snmpd has no notion of how SSH has actually protected a packet and

thus the snmp agent assumes all packets passed through the SSH

transport have been protected at the authpriv level.

.TP 8

dtlsudp

The DTLS protocol, which is based off of TLS, requires both client and

server certificates to establish the connection and authenticate both

sides.  In order to do this, the client will need to configure the

snmp.conf file

with the

.IR clientCert

configuration tokens.  The server will need to configure the snmp.conf

file with the

.IR serverCert

configuration tokens defined.

.IP

Access control setup is similar to the ssh transport as the TSM

security model should be used to protect the packet.

.RE

.SH CONFIGURATION FILES

.PP

.B snmpd

checks for the existence of and parses the following files:

.TP 6

.B SYSCONFDIR/snmp/snmp.conf

Common configuration for the agent and applications. See

.I snmp.conf(5)

for details.

.TP

.B SYSCONFDIR/snmp/snmpd.conf

.TP

.B SYSCONFDIR/snmp/snmpd.local.conf

Agent-specific configuration.  See

.I snmpd.conf(5)

for details.  These files are optional and may be used to configure

access control, trap generation, subagent protocols and much else

besides.

.IP

In addition to these two configuration files in SYSCONFDIR/snmp, the

agent will read any files with the names

.I snmpd.conf

and

.I snmpd.local.conf

in a colon separated path specified in the

SNMPCONFPATH environment variable.

.TP

.B DATADIR/snmp/mibs/

The agent will also load all files in this directory as MIBs.  It will

not, however, load any file that begins with a '.' or descend into

subdirectories.

.SH SEE ALSO

(in recommended reading order)

.PP

snmp_config(5),

snmp.conf(5),

snmpd.conf(5)

.\" Local Variables:

.\"  mode: nroff

.\" End: