Uma, Perhaps the confusion is because there are two different files named snmpd.conf. Where they are located depends on the system configuration; mine are in /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf .
If you put the createUser command in /etc/snmp/snmpd.conf, it will remain there, because snmpd does not touch that file. The snmpd.conf man page says, in part: createUser [-e ENGINEID] username (MD5|SHA) authpassphrase [DES|AES] [priv- passphrase] ... This directive should be placed into the /var/db/net-snmp/snmpd.conf file instead of the other normal locations. The reason is that the information is read from the file and then the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it. This key is a localized key, so that if it is stolen it can not be used to access other agents. If the password is stolen, however, it can be. The proper steps to use this mechanism: 1. stop snmpd 2. put the createUser command in your /var/lib/net-snmp/snmpd.conf (see the snmpd.conf man page for the right location on your system) 3. start snmpd At this point you can look at /var/lib/net-snmp/snmpd.conf and see that your createUser command was replaced by one with localized keys. Bill On Tue, Jan 7, 2020 at 7:22 AM Uma Mohandoss via Net-snmp-users < net-snmp-users@lists.sourceforge.net> wrote: > Michael/Team, > > Can you please provide more information on the below, as I am newbie to > snmp and net-snmp. > > As you mentioned below I removed the user from snmpd.conf, after that > snmpwalk fails with following error. > debugshell# snmpwalk -v3 -u u1 -a sha -A watchThis123 -l AuthPriv -x AES > -X watchThis123 localhost iso > Error in packet. > Reason: authorizationError (access denied to that object) > > > Also cloneFrom fails with following error: > snmpusm localhost cloneFrom u1 u1 -x AES -A watchThis123 -X watchThis123 > -l AuthPriv -a sha > snmpset: No securityName specified > > so added -u option > debugshell# snmpusm localhost cloneFrom u1 u1 -u uma -x AES -A > watchThis123 -X watchThis123 -l AuthPriv -a sha > User successfully cloned. > > this time user is successfully cloned. But still password is not encrypted. > > createUser u1 SHA watchThis123 AES watchThis123 > group WAAS usm u1 > > Thanks, > Uma Mohandoss > On Friday, 20 December, 2019, 5:35:28 PM IST, Michael W. Lucas < > mwlu...@michaelwlucas.com> wrote: > > > > The encrypted user is placed in the persistent data file. > > You can remove this line from snmpd.conf after the user is created, > and use snmpusm to clone it for new accounts. > > ==ml > > > On Fri, Dec 20, 2019 at 05:31:09AM +0000, Uma Mohandoss via Net-snmp-users > wrote: > > Hi, > > > > Net-snmp 5.8, user creation does not encrypt password. Password stored > in plain text under /etc/snmp/snmpd.conf. > > > > Eg. (snippet from snmpd.conf) > > createUser u1 SHA watchThis123 AES watchThis123 > > group COMMON usm u1 > > > > Need help/patch to encrypt password. > > > > Thanks, > > Uma Mohandoss > > > > > > > _______________________________________________ > > Net-snmp-users mailing list > > Net-snmp-users@lists.sourceforge.net > > Please see the following page to unsubscribe or change other options: > > https://lists.sourceforge.net/lists/listinfo/net-snmp-users > > -- > Michael W. Lucas https://mwl.io/ > author of: Absolute OpenBSD, SSH Mastery, git commit murder, > Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... > > _______________________________________________ > Net-snmp-users mailing list > Net-snmp-users@lists.sourceforge.net > Please see the following page to unsubscribe or change other options: > https://lists.sourceforge.net/lists/listinfo/net-snmp-users >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users