{ "mode": "man", "parameter": "snmpusm", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/snmpusm/1/json", "generated": "2026-06-03T00:26:39Z", "synopsis": "snmpusm [COMMON OPTIONS] [-Cw] AGENT create USER [CLONEFROM-USER]\nsnmpusm [COMMON OPTIONS] AGENT delete USER\nsnmpusm [COMMON OPTIONS] AGENT cloneFrom USER CLONEFROM-USER\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT passwd OLD-PASSPHRASE NEW-PASSPHRASE [USER]\nsnmpusm [COMMON OPTIONS] <-Ca | -Cx> -Ck AGENT passwd OLD-KEY-OR-PASSPHRASE NEW-KEY-OR-\nPASSPHRASE [USER]\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT changekey [USER]", "sections": { "NAME": { "content": "snmpusm - creates and maintains SNMPv3 users on a network entity\n", "subsections": [] }, "SYNOPSIS": { "content": "snmpusm [COMMON OPTIONS] [-Cw] AGENT create USER [CLONEFROM-USER]\nsnmpusm [COMMON OPTIONS] AGENT delete USER\nsnmpusm [COMMON OPTIONS] AGENT cloneFrom USER CLONEFROM-USER\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT passwd OLD-PASSPHRASE NEW-PASSPHRASE [USER]\nsnmpusm [COMMON OPTIONS] <-Ca | -Cx> -Ck AGENT passwd OLD-KEY-OR-PASSPHRASE NEW-KEY-OR-\nPASSPHRASE [USER]\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT changekey [USER]\n\n", "subsections": [] }, "DESCRIPTION": { "content": "snmpusm is an SNMP application that can be used to do simple maintenance on the users known\nto an SNMP agent, by manipulating the agent's User-based Security Module (USM) table. The\nuser needs write access to the usmUserTable MIB table. This tool can be used to create,\ndelete, clone, and change the passphrase of users configured on a running SNMP agent.\n\n", "subsections": [] }, "OPTIONS": { "content": "Common options for all snmpusm commands:\n", "subsections": [ { "name": "-CE", "content": "Set usmUserEngineID to be used as part of the index of the usmUserTable. Default is\nto use the contextEngineID (set via -E or probed) as the usmUserEngineID.\n" }, { "name": "-Cp", "content": "Set the usmUserPublic value of the (new) user to the specified STRING.\n\nOptions for the passwd and changekey commands:\n" }, { "name": "-Ca", "content": "" }, { "name": "-Cx", "content": "" }, { "name": "-Ck", "content": "option is used, either the -Ca or -Cx option (but not both) must also be used.\n\n" } ] }, "CREATING USERS": { "content": "An unauthenticated SNMPv3 user can be created using the command\n\nsnmpusm [COMMON OPTIONS] AGENT create USER\n\nThis constructs an (inactive) entry in the usmUserTable, with no authentication or privacy\nsettings. In principle, this user should be useable for 'noAuthNoPriv' requests, but in\npractise the Net-SNMP agent will not allow such an entry to be made active. The user can be\ncreated via the createAndWait operation instead by using the -Cw flag. This will prevent the\nuser from being marked as active in any agent until explicitly activated later via the acti‐\nvate command.\n\n\nIn order to activate this entry, it is necessary to \"clone\" an existing user, using the com‐\nmand\n\nsnmpusm [COMMON OPTIONS] AGENT cloneFrom USER CLONEFROM-USER\n\nThe USER entry then inherits the same authentication and privacy settings (including pass\nphrases) as the CLONEFROM user.\n\n\nThese two steps can be combined into one, by using the command\n\nsnmpusm [COMMON OPTIONS] AGENT create USER CLONEFROM-USER\n\n\nThe two forms of the create sub-command require that the user being created does not already\nexist. The cloneFrom sub-command requires that the user being cloned to does already exist.\n\n\nCloning is the only way to specify which authentication and privacy protocols to use for a\ngiven user, and it is only possible to do this once. Subsequent attempts to reclone onto the\nsame user will appear to succeed, but will be silently ignored. This (somewhat unexpected)\nbehaviour is mandated by the SNMPv3 USM specifications (RFC 3414). To change the authentica‐\ntion and privacy settings for a given user, it is necessary to delete and recreate the user\nentry. This is not necessary for simply changing the pass phrases (see below). This means\nthat the agent must be initialized with at least one user for each combination of authentica‐\ntion and privacy protocols. See the snmpd.conf(5) manual page for details of the createUser\nconfiguration directive.\n\n", "subsections": [] }, "DELETING USERS": { "content": "A user can be deleted from the usmUserTable using the command\n\nsnmpusm [COMMON OPTIONS] AGENT delete USER\n\n", "subsections": [] }, "CHANGING PASS PHRASES": { "content": "User profiles contain private keys that are never transmitted over the wire in clear text\n(regardless of whether the administration requests are encrypted or not). To change the se‐\ncret key for a user, it is necessary to specify the user's old passphrase as well as the new\none. This uses the command\n\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT passwd OLD-PASSPHRASE NEW-PASSPHRASE [USER]\n\n\nAfter cloning a new user entry from the appropriate template, you should immediately change\nthe new user's passphrase.\n\n\nIf USER is not specified, this command will change the passphrase of the (SNMPv3) user issu‐\ning the command. If the -Ca or -Cx options are specified, then only the authentication or\nprivacy keys are changed. If these options are not specified, then both the authentication\nand privacy keys are changed.\n\n\nsnmpusm [COMMON OPTIONS] [-Ca] [-Cx] AGENT changekey [USER]\n\n\nThis command changes the key in a perfect-forward-secrecy compliant way through a diffie-hel‐\nman exchange. The remote agent must support the SNMP-USM-DH-OBJECTS-MIB for this command to\nwork. The resulting keys are printed to the console and may be then set in future command\ninvocations using the --defAuthLocalizedKey and --defPrivLocalizedKey options or in your\nsnmp.conf file using the defAuthLocalizedKey and defPrivLocalizedKey keywords.\n\n\nNote that since these keys are randomly generated based on a diffie helman exchange, they are\nno longer derived from a more easily typed password. They are, however, much more secure.\n\n\nTo change from a localized key back to a password, the following variant of the passwd sub-\ncommand is used:\n\n\nsnmpusm [COMMON OPTIONS] <-Ca | -Cx> -Ck AGENT passwd OLD-KEY-OR-PASSPHRASE NEW-KEY-\nOR-PASSPHRASE [USER]\n\n\nEither the -Ca or the -Cx option must be specified. The OLD-KEY-OR-PASSPHRASE and/or NEW-\nKEY-OR-PASSPHRASE arguments can either be a passphrase or a localized key starting with \"0x\",\ne.g. as printed out by the changekey sub-command.\n\n\nNote that snmpusm REQUIRES an argument specifying the agent to query as described in the .I\nsnmpcmd(1) manual page.\n", "subsections": [] }, "EXAMPLES": { "content": "Let's assume for our examples that the following VACM and USM configurations lines were in\nthe snmpd.conf file for a Net-SNMP agent. These lines set up a default user called \"initial\"\nwith the authentication passphrase \"setuppassphrase\" so that we can perform the initial\nsetup of an agent:\n\n# VACM configuration entries\nrwuser initial\n# lets add the new user we'll create too:\nrwuser wes\n# USM configuration entries\ncreateUser initial MD5 setuppassphrase DES\n\nNote: the \"initial\" user's setup should be removed after creating a real user that you grant\nadministrative privileges to (like the user \"wes\" we'll be creating in this example.\n\nNote: passphrases must be 8 characters minimum in length.\n", "subsections": [ { "name": "Create a new user", "content": "snmpusm -v3 -u initial -n \"\" -l authNoPriv -a MD5 -A setuppassphrase localhost create wes\ninitial\n\nCreates a new user, here named \"wes\" using the user \"initial\" to do it. \"wes\" is\ncloned from \"initial\" in the process, so he inherits that user's passphrase\n(\"setuppassphrase\").\n" }, { "name": "Change the user's passphrase", "content": "snmpusm -v 3 -u wes -n \"\" -l authNoPriv -a MD5 -A setuppassphrase localhost passwd\nsetuppassphrase newpassphrase\n\nAfter creating the user \"wes\" with the same passphrase as the \"initial\" user, we need\nto change his passphrase for him. The above command changes it from\n\"setuppassphrase\", which was inherited from the initial user, to \"newpassphrase\".\n" }, { "name": "Test the new user", "content": "snmpget -v 3 -u wes -n \"\" -l authNoPriv -a MD5 -A newpassphrase localhost sysUpTime.0\n\nIf the above commands were successful, this command should have properly performed an\nauthenticated SNMPv3 GET request to the agent.\n\nNow, go remove the vacm \"group\" snmpd.conf entry for the \"initial\" user and you have a valid\nuser 'wes' that you can use for future transactions instead of initial.\n\n" } ] }, "WARNING": { "content": "Manipulating the usmUserTable using this command can only be done using SNMPv3. This command\nwill not work with the community-based versions, even if they have write access to the table.\n\n", "subsections": [] }, "SEE ALSO": { "content": "snmpd.conf(5), snmp.conf(5), RFC 3414\n\n\n\nV5.9.1 11 Dec 2009 SNMPUSM(1)", "subsections": [] } }, "summary": "snmpusm - creates and maintains SNMPv3 users on a network entity", "flags": [ { "flag": "", "long": null, "arg": null, "description": "Set usmUserEngineID to be used as part of the index of the usmUserTable. Default is to use the contextEngineID (set via -E or probed) as the usmUserEngineID." }, { "flag": "", "long": null, "arg": null, "description": "Set the usmUserPublic value of the (new) user to the specified STRING. Options for the passwd and changekey commands:" }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "option is used, either the -Ca or -Cx option (but not both) must also be used." } ], "examples": [ "Let's assume for our examples that the following VACM and USM configurations lines were in", "the snmpd.conf file for a Net-SNMP agent. These lines set up a default user called \"initial\"", "with the authentication passphrase \"setuppassphrase\" so that we can perform the initial", "setup of an agent:", "# VACM configuration entries", "rwuser initial", "# lets add the new user we'll create too:", "rwuser wes", "# USM configuration entries", "createUser initial MD5 setuppassphrase DES", "Note: the \"initial\" user's setup should be removed after creating a real user that you grant", "administrative privileges to (like the user \"wes\" we'll be creating in this example.", "Note: passphrases must be 8 characters minimum in length.", "snmpusm -v3 -u initial -n \"\" -l authNoPriv -a MD5 -A setuppassphrase localhost create wes", "initial", "Creates a new user, here named \"wes\" using the user \"initial\" to do it. \"wes\" is", "cloned from \"initial\" in the process, so he inherits that user's passphrase", "(\"setuppassphrase\").", "snmpusm -v 3 -u wes -n \"\" -l authNoPriv -a MD5 -A setuppassphrase localhost passwd", "setuppassphrase newpassphrase", "After creating the user \"wes\" with the same passphrase as the \"initial\" user, we need", "to change his passphrase for him. The above command changes it from", "\"setuppassphrase\", which was inherited from the initial user, to \"newpassphrase\".", "snmpget -v 3 -u wes -n \"\" -l authNoPriv -a MD5 -A newpassphrase localhost sysUpTime.0", "If the above commands were successful, this command should have properly performed an", "authenticated SNMPv3 GET request to the agent.", "Now, go remove the vacm \"group\" snmpd.conf entry for the \"initial\" user and you have a valid", "user 'wes' that you can use for future transactions instead of initial." ], "see_also": [ { "name": "snmpd.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/snmpd.conf/5/json" }, { "name": "snmp.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/snmp.conf/5/json" } ] }