Hi,
is it possible to use the snmpusm tool to clone a user with a different
engineID than the template user ? And if yes, can you please give an
example on how to do that, or give a reference to a webpage or document
which explains how to do that ?
Background:
This feature is useful for sending SNMPv3 INFORMs. With SNMPv3 INFORMs, the
authoritative engine is the engine that receives the INFORMs. So if an
SNMP agent sends an SNMPv3 INFORM, it should use the engineID of the SNMP
manager.
- Assume that:
- the engineID of the manager is managerEngineID
- the engineID of the agent is agentEngineID
- the usmUserTable of the agent contains the SNMPv3 user templateUser
- the templateUser uses agentEngineID as engineID (this is the normal
situation). So the index of the templateUser in the usmUserTable is
'agentEngineID.templateUser'.
- Manager clones user 'agentEngineID.templateUser' to user
'managerEngineID.informUser'. My question relates to this step. I don't
know how I can do this with the snmpusm tool.
- Agent wants to send SNMPv3 INFORM to manager with the user informUser.
It probes the manager for its engineID. The manager returns
managerEngineID.
The agent searches in its usmTable for the user
'managerEngineID.informUser'.
Because of the clone in the previous step, it finds this user. The agent
gets the priv/auth keys for this user and can send the SNMPv3 INFORM.
In the net-snmp users mail archive I found an entry from 2006-2008
which says that the snmpusm tool can't be used to clone users with a
different engineID:
snmpusm new feature - ID: 1591355:
http://sourceforge.net/tracker/index.php?func=detail&aid=1591355&group_id=12694&atid=312694
It proposes a patch. According to the 'changes' section, it was closed on
2008-08-18, but the 'comments' section has an entry on the same date
saying: "The patch has been taken out of the trunk again since it did end
up causing problems." The current status of the entry is "Open".
The snmpusm tool has the option '-CE ENGINE-ID'. But this option doesn't
seem to solve my problem. If I try to clone the user
'agentEngineID.templateUser' to 'managerEngineID.informUser' with the
command (I use symbolic names for the engineIDs in the next command to ease
reading; in reality I pass real numbers):
snmpusm -v3 -u templateUser -l authPriv -a MD5 -A setup_passphrase -x DES \
-X setup_passphrase -CE managerEngineID localhost create informUser
templateUser
it tries to find the user 'managerEngineID.templateUser'. This is not the
desired behavior.
If it's not possible to clone users with a different engineID dynamically,
then the agent must have preconfigured users for SNMPv3 INFORMs. E.g in its
/var/net-snmp/snmpd.conf it should have an entry (again with a symbolic
name for the engineID to ease reading):
createUser -e managerEngineID informUser MD5 inform_passphrase DES
But then only managers with this engineID can receive SNMPv3 INFORMs from
the agent.
I'm using version 5.7.1.
regards,
Patrick Rogier
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
