On 08/05/07, Miller, Jeff (eng) <[EMAIL PROTECTED]> wrote: > My understanding is that: > - Changing the snmpd engineID will make the previous > localized engineID for a given security name incorrect > and render those users in the USM table unusable.
Ummm... Not sure. I'd need to check through the SNMP specs (and the code) carefully, but I didn't think there was any localisation done on the engine ID itself. As I understand it, the localisation is done on the pass phrases (*using* the engineID). If you change the engine ID, then the previous user names are still valid (I think) - it's just that nothing is likely to use them. > - The engineID in the USM table is not accessible so it > is not possible to reference and change it externally. The engineID is one of the indexes to the usmUserTable, so you can certainly reference it (by walking the table). You can only change it by deleting a row from the table and recreating it (with the new engineID). But that's fairly standard for any table index. > - The keys for a user in the USM table are one-way > encoded so it is not possible to determine the clear > text that was originally used to add the user to the > usm table. Correct. > Given that the above is correct, then a requirement for > changing the snmpd engineID is that after changing it > you must restore the USM table using a process similar > to how you created the users originally, and in particular, > you will need to know the "in the clear" keys. Ummm... I suspect that you should be able to use the usmUserCloneFrom and usmUser*KeyChange objects to create the new user, and set the keys appropriately. However, I'm rapidly getting out of my depth here. You really need to talk to Wes about this sort of thing. He's much more of a security specialist than I am. I'm not sure how closely he monitors the -users list, but I'll give him a prod to (hopefully) drop by and put us both on the straight and narrow. Dave ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
