Monitoring - Setting up SNMPv3 Users

Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·REALbasic
·All Categories

Setting up SNMPv3 Users
Topic: Monitoring Posted:2005-11-11
Printer Friendly:

[Note: for a Windows version of these instructions, see this article]

SNMP version 3 has the capability of using authentication. It can be configured so that you need a user name and password before you can request information from a particular agent. For binary folks, make sure you have the net-snmp-devel package. We used yum to retrieve this in this article. Let's set up a user. First, stop the snmpd service:

[root@srv-1 usr-1]# /etc/init.d/snmpd stop
Stopping snmpd:                                            [  OK  ]
[root@srv-1 usr-1]#

Let's create a read only user called netadmin with the password of netadminpassword:

[root@srv-1 usr-1]#  net-snmp-config --create-snmpv3-user 
-ro -a "netadminpassword" netadmin
adding the following line to /var/net-snmp/snmpd.conf:
createUser netadmin MD5 "netadminpassword" DES
adding the following line to /usr/share/snmp/snmpd.conf:
rouser netadmin
[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
createUser netadmin MD5 "netadminpassword" DES
[root@srv-1 usr-1]# cat /usr/share/snmp/snmpd.conf
rouser netadmin

Start back up the snmpd service:

[root@srv-1 usr-1]# /etc/init.d/snmpd start
Starting snmpd:                                            [  OK  ]
[root@srv-1 usr-1]#

Check out what happens to the /var/net-snmp/snmpd.conf file:

[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
.
.
.
usmUser 1 3 0x800007e580562c512f61f77443 0x6e657461646d696e00 
0x6e657461646d696e00 NULL .1.3.6.1.6.3.10.1.1.2 
0x1701cbd1feb64559cf18f81fecb60965 .1.3.6.1.6.3.10.1.2.2 
0x1701cbd1feb64559cf18f81fecb60965 ""
engineBoots 1
oldEngineID 0x800007e580562c512f61f77443
[root@srv-1 usr-1]#

This keeps the plain text stuff out of the file, as the plain text stuff is overwritten with encrypted data when snmpd is started. To authenticate against this, we cat type on the command line:

[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5 
-A netadminpassword 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (6934) 0:01:09.34

With a different password this fails:

[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5 
-A netadmnpassword 10.50.100.1 sysUpTime.0
snmpget: Authentication failure (incorrect password, community or key)
[root@clienttest ~]#

Note that this can be stuck in a snmp.conf file in ~/.snmp:

[root@clienttest ~]# mkdir ~/.snmp
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0 
snmpget: No securityName specified
[root@clienttest ~]# vi ~/.snmp/snmp.conf
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (24474) 0:04:04.74
[root@clienttest ~]# cat ~/.snmp/snmp.conf
defSecurityName netadmin
defContext ""
defAuthType MD5
defSecurityLevel authNoPriv
defAuthPassphrase netadminpassword
defVersion 3
[root@clienttest ~]#

So very much better than being able to get this data simply because you know the community string.

For more documentation on the configuration, see this page.

Please read our Terms of Use
Microsoft, Windows, Windows XP, Windows 2003, Windows 2000, and NT are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2008 NetAdminTools.com