Setting up SNMPv3 Users
[Note: for a Windows version of these instructions, see this article]
SNMP version 3 has the capability of using authentication. It can be configured so that you need a user name and password before you can request information from a particular agent. For binary folks, make sure you have the net-snmp-devel package. We used yum to retrieve this in this article. Let's set up a user. First, stop the snmpd service:
[root@srv-1 usr-1]# /etc/init.d/snmpd stop
Stopping snmpd: [ OK ]
[root@srv-1 usr-1]#
|
Let's create a read only user called netadmin with the password of netadminpassword:
[root@srv-1 usr-1]# net-snmp-config --create-snmpv3-user
-ro -a "netadminpassword" netadmin
adding the following line to /var/net-snmp/snmpd.conf:
createUser netadmin MD5 "netadminpassword" DES
adding the following line to /usr/share/snmp/snmpd.conf:
rouser netadmin
[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
createUser netadmin MD5 "netadminpassword" DES
[root@srv-1 usr-1]# cat /usr/share/snmp/snmpd.conf
rouser netadmin
|
Start back up the snmpd service:
[root@srv-1 usr-1]# /etc/init.d/snmpd start
Starting snmpd: [ OK ]
[root@srv-1 usr-1]#
|
Check out what happens to the /var/net-snmp/snmpd.conf file:
[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
.
.
.
usmUser 1 3 0x800007e580562c512f61f77443 0x6e657461646d696e00
0x6e657461646d696e00 NULL .1.3.6.1.6.3.10.1.1.2
0x1701cbd1feb64559cf18f81fecb60965 .1.3.6.1.6.3.10.1.2.2
0x1701cbd1feb64559cf18f81fecb60965 ""
engineBoots 1
oldEngineID 0x800007e580562c512f61f77443
[root@srv-1 usr-1]#
|
This keeps the plain text stuff out of the file, as the plain text stuff is overwritten with encrypted data when snmpd is started. To authenticate against this, we cat type on the command line:
[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5
-A netadminpassword 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (6934) 0:01:09.34
|
With a different password this fails:
[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5
-A netadmnpassword 10.50.100.1 sysUpTime.0
snmpget: Authentication failure (incorrect password, community or key)
[root@clienttest ~]#
|
Note that this can be stuck in a snmp.conf file in ~/.snmp:
[root@clienttest ~]# mkdir ~/.snmp
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0
snmpget: No securityName specified
[root@clienttest ~]# vi ~/.snmp/snmp.conf
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (24474) 0:04:04.74
[root@clienttest ~]# cat ~/.snmp/snmp.conf
defSecurityName netadmin
defContext ""
defAuthType MD5
defSecurityLevel authNoPriv
defAuthPassphrase netadminpassword
defVersion 3
[root@clienttest ~]#
|
So very much better than being able to get this data simply because you know the community string.
For more documentation on the configuration, see this page.
|
|