SNMPUSM(1) Net-SNMP SNMPUSM(1)
snmpusm - creates and maintains SNMPv3 users on a remote entity.
snmpusm [COMMON OPTIONS] create USER [CLONEFROM-USER]
snmpusm [COMMON OPTIONS] delete USER
snmpusm [COMMON OPTIONS] cloneFrom USER CLONEFROM-USER
snmpusm [COMMON OPTIONS] [-Co] [-Ca] [-Cx] passwd OLD-PASSPHRASE NEW-PASSPHRASE
snmpusm is an SNMP application that can be used to do simple maintenance on a SNMP agent's
User-based Security Module (USM) table. You can create, delete, clone, and change the
passphrase of users configured on a running SNMP agent.
The SNMPv3 USM specifications (see RFC2574) dictate that users are created and maintained
by adding and modifying rows to the usmUserTable MIB table. To create a new user you sim-
ply create the row using snmpset. User's profiles contain private keys that are never
transmitted over the wire in clear text (regardless of whether the administration requests
are encrypted or not).
The secret key for a user is initially set by cloning another user in the table, so that a
new user inherits the cloned user's secret key. A user can only be cloned once, however,
after which they must be deleted and re-created to be re-cloned. The authentication and
privacy security types are also inherited during this cloning (e.g., MD5 vs. SHA1). To
change the secret key for a user, you must know the user's old passphrase as well as the
new one. The passwd sub-command of the snmpusm command, therefore, requires both the new
and the old pass-phrases to be supplied. After cloning from the appropriate template, you
should immediately change the new users passphrase.
The Net-SNMP agent must first be initialized so that at least one user is setup in it
before you can use this command to clone new ones. See the snmpd.conf(5) manual page on
the createUser configuration parameter.
Let's assume for our examples that the following VACM and USM configurations lines were in
the snmpd.conf file for a Net-SNMP agent. These lines set up a default user called "ini-
tial" with the authentication passphrase "setup_passphrase" so that we can perform the
initial setup of an agent:
# VACM configuration entries
# lets add the new user we'll create too:
# USM configuration entries
createUser initial MD5 setup_passphrase DES
Note: the "initial" user's setup should be removed after creating a real user that you
grant administrative privileges to (like the user "wes" we'll be creating in this example.
Note: passphrases must be 8 characters minimum in length.
Create a new user
snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost create wes
Creates a new user, here named "wes" using the user "initial" to do it. "wes" is
cloned from "initial" in the process, so he inherits that user's passphrase ("set-
Change the user's passphrase
snmpusm -v 3 -u wes -n "" -l authNoPriv -a MD5 -A setup_passphrase localhost passwd set-
After creating the user "wes" with the same passphrase as the "initial" user, we
need to change his passphrase for him. The above command changes it from "set-
up_passphrase", which was inherited from the initial user, to "new_passphrase".
Test the new user
snmpget -v 3 -u wes -n "" -l authNoPriv -a MD5 -A new_passphrase localhost sysUpTime.0
If the above commands were successful, this command should have properly performed
an authenticated SNMPv3 GET request to the agent.
Now, go remove the vacm "group" snmpd.conf entry for the "initial" user and you have a
valid user 'wes' that you can use for future transactions instead of initial.
snmpd.conf(5), snmp.conf(5), RFC 2574
4th Berkeley Distribution 08 Feb 2002 SNMPUSM(1)