Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Setting up SNMPv3 Users

/ October 3, 2016 — Monitoring

[Note: for a Windows version of these instructions, see this article]

SNMP version 3 has the capability of using authentication. It can be configured so that you need a user name and password before you can request information from a particular agent. For binary folks, make sure you have the net-snmp-devel package. We used yum to retrieve this in this article. Let’s set up a user. First, stop the snmpd service:

[root@srv-1 usr-1]# /etc/init.d/snmpd stop
Stopping snmpd:                                            [  OK  ]
[root@srv-1 usr-1]#

Let’s create a read only user called netadmin with the password of netadminpassword:

[root@srv-1 usr-1]#  net-snmp-config --create-snmpv3-user 
-ro -a "netadminpassword" netadmin
adding the following line to /var/net-snmp/snmpd.conf:
createUser netadmin MD5 "netadminpassword" DES
adding the following line to /usr/share/snmp/snmpd.conf:
rouser netadmin
[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
createUser netadmin MD5 "netadminpassword" DES
[root@srv-1 usr-1]# cat /usr/share/snmp/snmpd.conf
rouser netadmin

Start back up the snmpd service:

[root@srv-1 usr-1]# /etc/init.d/snmpd start
Starting snmpd:                                            [  OK  ]
[root@srv-1 usr-1]#

Check out what happens to the /var/net-snmp/snmpd.conf file:

[root@srv-1 usr-1]# cat /var/net-snmp/snmpd.conf
.
.
.
usmUser 1 3 0x800007e580562c512f61f77443 0x6e657461646d696e00 
0x6e657461646d696e00 NULL .1.3.6.1.6.3.10.1.1.2 
0x1701cbd1feb64559cf18f81fecb60965 .1.3.6.1.6.3.10.1.2.2 
0x1701cbd1feb64559cf18f81fecb60965 ""
engineBoots 1
oldEngineID 0x800007e580562c512f61f77443
[root@srv-1 usr-1]#

This keeps the plain text stuff out of the file, as the plain text stuff is overwritten with encrypted data when snmpd is started. To authenticate against this, we cat type on the command line:

[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5 
-A netadminpassword 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (6934) 0:01:09.34

With a different password this fails:

[root@clienttest ~]# snmpget -v 3 -u netadmin -l authNoPriv -a MD5 
-A netadmnpassword 10.50.100.1 sysUpTime.0
snmpget: Authentication failure (incorrect password, community or key)
[root@clienttest ~]#

Note that this can be stuck in a snmp.conf file in ~/.snmp:

[root@clienttest ~]# mkdir ~/.snmp
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0 
snmpget: No securityName specified
[root@clienttest ~]# vi ~/.snmp/snmp.conf
[root@clienttest ~]# snmpget 10.50.100.1 sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (24474) 0:04:04.74
[root@clienttest ~]# cat ~/.snmp/snmp.conf
defSecurityName netadmin
defContext ""
defAuthType MD5
defSecurityLevel authNoPriv
defAuthPassphrase netadminpassword
defVersion 3
[root@clienttest ~]#

So very much better than being able to get this data simply because you know the community string.

For more documentation on the configuration, see this page.

Information

About