Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: create SNMPv3 user with hashed password

519 views
Skip to first unread message

EYRE Bernadette

unread,
Feb 11, 2010, 9:36:03 PM2/11/10
to
Thank you Dave for shedding some light on this.
I'm sorry for my persistent but I need to understand this.

I'm using net-snmp 5.4.2.1 version on linux.
I read the docs, manual pages, looked at library snmpusm.c and snmpusm.c
code in apps dir
but I can't make -m option work.

I type:
snmpusm -v3 localhost -l authNoPriv -u initialuser1 -A passwd1 create
user1 initialuser1

This works and the user is created since the clone from "initialuser1"
user
is in persistent snmpd.conf file.

Then I use the snmpusm command to change the inherited password from
cloneFrom user.
I want to supply an already (MD5) hashed value instead of clear text
passphrase so I use:
snmpusm -v3 -l authNoPriv -u user1 -A passwd1 passwd -Ca passwd1 -m
0x<hexkey>

The snmpusm command returns error : New passphrase must be greater than
8 characters in length

I don't know if -m option is intended to be used with MD5 hashed value??

I noticed the manual pages for snmpcmd refers to -m as -3m and so does
the snmpv3.c code.
So I used -3m option instead but that did the same as above.

I don't know if this is the best way to create a new user other than
writing program and creating netsnmp session and pdu to talk to the
agent. Is it always required to create the user first and then change
the password or it can be done in one step?

I still prefer at the moment to use the snmpusm command to create the
user with my own hashed password.
If anyone knows how to, please let me know
Thanks,
Bernadette

-----Original Message-----
From: dave....@googlemail.com [mailto:dave....@googlemail.com] On
Behalf Of Dave Shield
Sent: Wednesday, February 10, 2010 1:15 AM
To: EYRE Bernadette
Cc: net-snm...@lists.sourceforge.net
Subject: Re: create SNMPv3 user with hashed password

On 10 February 2010 02:45, EYRE Bernadette
<Bernade...@alcatel-lucent.com> wrote:
> Hello Dave,

Please address queries to the list as a whole - not to me personally.
I am *not* the sole support for this project (though it sometimes
feels like it!)


> Is it possible to create snmpv3 user with hashed password rather than
> clear text and provide the appropriate hash algorithm type?

$ man snmpd.conf

SNMPv3 Users

If you want to generate either your master or localized keys
directly,
replace the given password with a hexstring (preceeded by a "0x")
and precede the hex string by a -m or -l token (respectively).


> If so which api to use?

All creation of SNMPv3 users eventually boils down to a call to:

usm_add_user()


> Any examples?

See 'usm_parse_create_usmUser()' in snmplib/snmpv3.c

Dave

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Net-snmp-coders mailing list
Net-snm...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Dave Shield

unread,
Feb 12, 2010, 8:22:29 AM2/12/10
to
On 12 February 2010 02:36, EYRE Bernadette

<Bernade...@alcatel-lucent.com> wrote:
> I'm using net-snmp 5.4.2.1 version on linux.
> I read the docs, manual pages, looked at library snmpusm.c and snmpusm.c
> code in apps dir but I can't make -m option work.

> I want to supply an already (MD5) hashed value instead of clear text
> passphrase so I use:

> snmpusm -v3 -l authNoPriv -u user1 -A passwd1 passwd -Ca passwd1 -m 0x<hexkey>


I'm not really an expert on SNMPv3, but that invocation does not seem to
match the description in the snmpusm man page. This lists '-Ca' as one of
the "Common Options" which appear *before* the USM command ("passwd")

Also, the description of the "passwd" sub-command says:

" To change from a localized key back to a password, the
following variant of the passwd sub-command is used:

snmpusm [OPTIONS] <-Ca | -Cx> -Ck passwd
OLD-KEY-OR-PASSPHRASE NEW-KEY-OR-PASSPHRASE [USER]

The OLD-KEY-OR-PASSPHRASE and/or NEW-KEY-OR-PASSPHRASE arguments
can either be a passphrase or a localized key starting with "0x",
"

Which would imply that the command ought to be something like:

snmpusm -v3 -l authNoPriv -u user1 -A passwd1 -Ca -Ck passwd passwd1 0x<hexkey>

> I don't know if -m option is intended to be used with MD5 hashed value??

-m is not relevant to the "passwd" sub-command.
It's part of the common processing for the basic SNMP commands.


> So I used -3m option instead but that did the same as above.

All of the -3... options are treated in exactly the same way as the
eqivalent non-3 versions. That was an (unsuccessful) attempt to
reduce the pollution of the command-line option namespace.

My gut feeling is that you are confusing the common SNMP command options
with the USM-specific sub-command options. These are different (I believe).


But I'm not an SNMPv3 expert, so I could well be wrong here.

Wes Hardaker

unread,
Feb 12, 2010, 2:25:00 PM2/12/10
to
>>>>> On Fri, 12 Feb 2010 13:22:29 +0000, Dave Shield <D.T.S...@liverpool.ac.uk> said:

DS> My gut feeling is that you are confusing the common SNMP command
DS> options with the USM-specific sub-command options. These are
DS> different (I believe).

In short:

1) All the options you need to authenticate/etc the SNMPv3 USM user
*making* the request need to go before the USM command (eg, like
"clone").

2) All of the options that affect the command itself and tell it how to
set the password for the user you're operating *on* need to go after
the command.

This allows for separation of the user being acted upon from the user
performing the maintenance.
--
Wes Hardaker
Please mail all replies to net-snm...@lists.sourceforge.net

EYRE Bernadette

unread,
Feb 12, 2010, 3:06:31 PM2/12/10
to

Thanks Dave and Wes.

Wes, if you are using snmpusm command and you have already created the
user and you want to change the password and provide the new password in
hashed format, not in clear passphrase format,
how would you do it, what will be the command?

I know -Ck option is for localized format but my password is hashed (in
MD5 or in SHA format)
and that is how it will be supplied to me from a remote authentication
server.

Thanks,
Bernadette

-----Original Message-----
From: Wes Hardaker [mailto:hard...@users.sourceforge.net]
Sent: Friday, February 12, 2010 11:25 AM
To: Dave Shield
Cc: EYRE Bernadette; net-snm...@lists.sourceforge.net
Subject: Re: create SNMPv3 user with hashed password

Wes Hardaker

unread,
Feb 16, 2010, 5:10:37 PM2/16/10
to
>>>>> On Fri, 12 Feb 2010 14:06:31 -0600, "EYRE Bernadette" <Bernade...@alcatel-lucent.com> said:

EB> Wes, if you are using snmpusm command and you have already created the
EB> user and you want to change the password and provide the new password in
EB> hashed format, not in clear passphrase format,
EB> how would you do it, what will be the command?

I vaguely recall that the recent version of snmpusm was patched so that
the old/new passwords could start with "0x" to indicate a key.

Dave Shield

unread,
Feb 17, 2010, 4:23:28 AM2/17/10
to
On 16 February 2010 22:43, EYRE Bernadette
<Bernade...@alcatel-lucent.com> wrote:
> I'm running 5.4.2.1 version, would this patch be available for this version?
> Or should I update to 5.5?

Check the usage output of snmpusm.
If this mentions "-Ck" (and talks about KEY-OR-PASSPHRASE),
then support for this should be present.

If it doesn't then you'll probably need to upgrade.

I *think* this feature is present in 5.4.x and above, but not 5.3.x or earlier.
But check.

Dave

0 new messages