[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 4

pwchange Command

Purpose

Change user authentication and privacy keys dynamically.

Syntax

pwchange [ -e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] [ OldPassword NewPassword ] [ IPAddress | HostName | EngineID ]

Description

The pwchange command is provided to facilitate dynamic changes of user authentication and privacy keys. Dynamic configuration of authentication and privacy keys is done by doing set commands to objects of syntax keyChange. The keyChange syntax provides a way of changing keys without requiring that the actual keys (either new or old) be flowed directly across the wire, which would not be secure. Instead, if an object,such as usmUserAuthKeyChange (for example) is to be set, the keyChange value must be derived from the old and new passwords and the engineID of the agent at which the key will be used. The pwchange command is used to generate the keyChange values.

The pwchange command generates different output, depending on which protocol and what key usage is selected. Keychange values are typically twice as long as the key to be changed.

Flags

-d DebugLevel This flag indicates what level of debug information is desired. Debug tracing is either on or off: 1 causes debug tracing to be generated to the screen of the command issuer (sysout). Debug tracing is off (0) by default.
-e This flag indicates that the agent for which the keychange value is being defined is identified by engineID rather than by IP address or host name.
-p Protocol This flag indicates the protocols for which the keychange values should be generated. Valid values are:
HMAC-MD5
Generates keychange values for use with the HMAC-MD5 authentication protocol.
HMAC-SHA
Generates keychange values for use with the HMAC-SHA authentication protocol.
all
Generates both HMAC-MD5 and HMAC-SHA keychange values.
The default is that keychange values for the HMAC-MD5 protocol are generated.
-s This flag indicates that output should be displayed with additional spaces to improve readability. By default, data is displayed in a condensed format to facilitate cut-and-paste operations on the keychange values onto command lines in shell scripts.
-u KeyUsage This flag indicates the usage intended for the keychange value. Valid values are:
auth
An authentication keychange value.
priv
A privacy keychange value.
all
Both authentication and privacy keychange values.
Note
There is no difference between a keychange value generated for authentication and a keychange value generated for privacy. However, the length of privacy keychange values depends on whether the keychange value is localized.

Parameters

EngineID Specifies the engineID (1-32 octets, 2-64 hex digits) of the destination host at which the key is to be used. The engineID must be a string of 1-32 octets (2-64 hex digits). The default is that the agent identification is not an engineID.
HostName Specifies the destination host at which the key is to be used.
IPAddress Specifies the IP address in dotted decimal notation of the agent at the destination host at which the key is to be used.
NewPassword Specifies the password that will be used in generating the new key. The password must be between eight and 255 characters long.
OldPassword Specifies the password that was used in generating the key originally. The password must be between eight and 255 characters long.

Examples

The pwchange command generates different output depending on which protocol and what key usage is selected. Key change values are typically twice as long as the key to be changed.

  1. The following command demonstrates how pwchange can be used: 
    pwchange oldpassword newpassword 9.67.113.79
    The output of this command looks similar to: 
    Dump of 32 byte HMAC-MD5 authKey keyChange value: 
  3eca6ff34b59010d262845210a401656 
  78dd9646e31e9f890480a233dbe1114d
    The value to be set should be passed as a hex value with the clsnmp command (all on one line): 
     clsnmp set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.67.113.79.2.117.49 
 \'3eca6ff34b59010d262845210a40165678dd9646e31e9f890480a233dbe1114d\'h
    Note
    The backslash in the preceding example is required before the single quotation mark to enable AIX to correctly interpret the hexadecimal value.
    The index of the usmUserTable is made up of the EngineID and the ASCII representation of the user name. In this case it is 2 characters long and translates to 117.49.
    Note
    pwchange incorporates a random component in generating keys and keyChange values. The output from multiple commands with the same input does not produce duplicate results.

Related Information

The clsnmp command, pwtokey command, snmpdv3 daemon.

The /etc/clsnmp.conf file, /etc/snmpdv3.conf file.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]