Uma,
Perhaps the confusion is because there are two different files named
snmpd.conf. Where they are located depends on the system configuration;
mine are in /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf .
If you put the createUser command in /etc/snmp/snmpd.conf, it will remain
there, because snmpd does not touch that file. The snmpd.conf man page
says, in part:
createUser [-e ENGINEID] username (MD5|SHA) authpassphrase
[DES|AES]
[priv-
passphrase]
...
This directive should be placed into the
/var/db/net-snmp/snmpd.conf file
instead of the other normal locations. The reason is that
the information
is read from the file and then the line is removed
(eliminating the storage
of the master password for that user) and replaced with
the key that is
derived from it. This key is a localized key, so that if it
is stolen it
can not be used to access other agents. If the password is
stolen, however,
it can be.
The proper steps to use this mechanism:
1. stop snmpd
2. put the createUser command in your /var/lib/net-snmp/snmpd.conf (see the
snmpd.conf man page for the right location on your system)
3. start snmpd
At this point you can look at /var/lib/net-snmp/snmpd.conf and see that
your createUser command was replaced by one with localized keys.
Bill
On Tue, Jan 7, 2020 at 7:22 AM Uma Mohandoss via Net-snmp-users <
net-snmp-users@lists.sourceforge.net> wrote:
> Michael/Team,
>
> Can you please provide more information on the below, as I am newbie to
> snmp and net-snmp.
>
> As you mentioned below I removed the user from snmpd.conf, after that
> snmpwalk fails with following error.
> debugshell# snmpwalk -v3 -u u1 -a sha -A watchThis123 -l AuthPriv -x AES
> -X watchThis123 localhost iso
> Error in packet.
> Reason: authorizationError (access denied to that object)
>
>
> Also cloneFrom fails with following error:
> snmpusm localhost cloneFrom u1 u1 -x AES -A watchThis123 -X watchThis123
> -l AuthPriv -a sha
> snmpset: No securityName specified
>
> so added -u option
> debugshell# snmpusm localhost cloneFrom u1 u1 -u uma -x AES -A
> watchThis123 -X watchThis123 -l AuthPriv -a sha
> User successfully cloned.
>
> this time user is successfully cloned. But still password is not encrypted.
>
> createUser u1 SHA watchThis123 AES watchThis123
> group WAAS usm u1
>
> Thanks,
> Uma Mohandoss
> On Friday, 20 December, 2019, 5:35:28 PM IST, Michael W. Lucas <
> mwlu...@michaelwlucas.com> wrote:
>
>
>
> The encrypted user is placed in the persistent data file.
>
> You can remove this line from snmpd.conf after the user is created,
> and use snmpusm to clone it for new accounts.
>
> ==ml
>
>
> On Fri, Dec 20, 2019 at 05:31:09AM +0000, Uma Mohandoss via Net-snmp-users
> wrote:
> > Hi,
> >
> > Net-snmp 5.8, user creation does not encrypt password. Password stored
> in plain text under /etc/snmp/snmpd.conf.
> >
> > Eg. (snippet from snmpd.conf)
> > createUser u1 SHA watchThis123 AES watchThis123
> > group COMMON usm u1
> >
> > Need help/patch to encrypt password.
> >
> > Thanks,
> > Uma Mohandoss
>
> >
> >
> > _______________________________________________
> > Net-snmp-users mailing list
> > Net-snmp-users@lists.sourceforge.net
> > Please see the following page to unsubscribe or change other options:
> > https://lists.sourceforge.net/lists/listinfo/net-snmp-users
>
> --
> Michael W. Lucas https://mwl.io/
> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>
> _______________________________________________
> Net-snmp-users mailing list
> Net-snmp-users@lists.sourceforge.net
> Please see the following page to unsubscribe or change other options:
> https://lists.sourceforge.net/lists/listinfo/net-snmp-users
>
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
