[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 4
pwchange Command
Purpose
Change user authentication and privacy keys dynamically.
Syntax
pwchange [ -e ]
[ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] [ OldPassword NewPassword ] [ IPAddress | HostName | EngineID ]
Description
The pwchange command is provided to facilitate dynamic
changes of user authentication and privacy keys. Dynamic configuration of
authentication and privacy keys is done by doing set commands
to objects of syntax keyChange. The keyChange syntax provides a way of changing
keys without requiring that the actual keys (either new or old) be flowed
directly across the wire, which would not be secure. Instead, if an object,such
as usmUserAuthKeyChange (for example) is to be set,
the keyChange value must be derived from the old and new passwords and the
engineID of the agent at which the key will be used. The pwchange command is used to generate the keyChange values.
The pwchange command generates different output,
depending on which protocol and what key usage is selected. Keychange values
are typically twice as long as the key to be changed.
Flags
-d DebugLevel |
This flag indicates what level of debug information
is desired. Debug tracing is either on or off: 1 causes debug tracing to
be generated to the screen of the command issuer (sysout). Debug tracing
is off (0) by default. |
-e |
This flag indicates that the agent for which the keychange
value is being defined is identified by engineID rather than by IP address
or host name. |
-p Protocol |
This flag indicates the protocols for which the keychange values should
be generated. Valid values are:
- HMAC-MD5
- Generates keychange values for use with the HMAC-MD5 authentication
protocol.
- HMAC-SHA
- Generates keychange values for use with the HMAC-SHA authentication
protocol.
- all
- Generates both HMAC-MD5 and HMAC-SHA keychange values.
The default is that keychange values for the HMAC-MD5 protocol are generated. |
-s |
This flag indicates that output should be displayed with additional
spaces to improve readability. By default, data is displayed in a condensed
format to facilitate cut-and-paste operations on the keychange values onto
command lines in shell scripts. |
-u KeyUsage |
This flag indicates the usage intended for the keychange value. Valid
values are:
- auth
- An authentication keychange value.
- priv
- A privacy keychange value.
- all
- Both authentication and privacy keychange values.
Note
There
is no difference between a keychange value generated for authentication and
a keychange value generated for privacy. However, the length of privacy keychange
values depends on whether the keychange value is localized.
|
Parameters
EngineID |
Specifies the engineID (1-32 octets, 2-64 hex digits) of the destination
host at which the key is to be used. The engineID must be a string of 1-32
octets (2-64 hex digits). The default is that the agent identification is
not an engineID. |
HostName |
Specifies the destination host at which the key is to be used. |
IPAddress |
Specifies the IP address in dotted decimal notation of the agent at
the destination host at which the key is to be used. |
NewPassword |
Specifies the password that will be used in generating
the new key. The password must be between eight and 255 characters long. |
OldPassword |
Specifies the password that was used in generating the
key originally. The password must be between eight and 255 characters long. |
Examples
The pwchange command generates different output depending
on which protocol and what key usage is selected. Key change values are typically
twice as long as the key to be changed.
- The following command demonstrates how pwchange can be used:
pwchange oldpassword newpassword 9.67.113.79
The output of this command looks similar to:
Dump of 32 byte HMAC-MD5 authKey keyChange value:
3eca6ff34b59010d262845210a401656
78dd9646e31e9f890480a233dbe1114d
The value to be set should be passed
as a hex value with the clsnmp command (all on one line):
clsnmp set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.67.113.79.2.117.49
\'3eca6ff34b59010d262845210a40165678dd9646e31e9f890480a233dbe1114d\'h
Note
The backslash in the preceding example is required before the single
quotation mark to enable AIX to correctly interpret the hexadecimal
value.
The index of the usmUserTable is made up of the EngineID
and the ASCII representation of the user name. In this case it is 2 characters
long and translates to 117.49.
Note
pwchange incorporates
a random component in generating keys and keyChange values. The output from
multiple commands with the same input does not produce duplicate results.
Related Information
The clsnmp command, pwtokey command, snmpdv3 daemon.
The /etc/clsnmp.conf file, /etc/snmpdv3.conf file.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]