[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 4
pwtokey Command
Purpose
Converts passwords into localized and nonlocalized authentication and privacy
keys.
Syntax
pwtokey [-e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] Password [ EngineID | HostName | IPAddress ]
Description
AIX provides a facility called pwtokey that
allows conversion of passwords into localized and nonlocalized authentication
and privacy keys. The pwtokey procedure takes as input
a password and an identifier of the agent and generates authentication and
privacy keys. Since the procedure used by the pwtokey facility is the same
algorithm used by the clsnmp command, the person configuring
the SNMP agent can generate appropriate authentication and privacy keys to
put in the snmpd.conf file for a user, given a particular
password and the IP address at which the agent will run.
If the IP address or the hostname is specified, the SNMP agent must be
an AIX agent. The engineID will be created using a vendor-specific
formula that incorporates the IP address of the agent and an enterprise ID
representing AIX.
Flags
-d DebugLevel |
This flag indicates what level of debug information
is desired. Debug tracing is either on or off, so a value of 1 causes debug
tracing to be generated to the screen of the command issuer (sysout), and
a value of 0 specifies that no debug tracing be generated. Debug tracing is
off (0) by default. |
-e |
This flag indicates that the agent for which the key
is being defined is identified by engineID rather than by IP address or host
name. |
-p Protocol |
This flag indicates the protocols for which the keys should be generated.
Valid values are:
- HMAC-MD5
- Generates keys for use with the HMAC-MD5 authentication protocol.
- HMAC-SHA
- Generates keys for use with the HMAC-SHA authentication protocol
- all
- Generates both HMAC-MD5 and HMAC-SHA keys.
The default is that keys for the HMAC-MD5 protocol are generated. |
-s |
This flag indicates that output data should be displayed with additional
spaces to improve readability. By default, data is displayed in a condensed
format to facilitate cut-and-paste operations on the keys into configuration
files or command lines. |
-u KeyUsage |
This flag indicates the usage intended for the key. Valid values are:
- auth
- An authentication key.
- priv
- A privacy key.
- all
- Both authentication and privacy keys.
Note
There is no difference
between a key generated for authentication and a key generated for privacy.
However, the length of privacy keys depends on whether the key is localized
or not.
|
Parameters
EngineID |
Specifies the engineID of the SNMP agent at which the
key will be used. The engineID is determined at SNMP agent initialization
from the snmpd.boots file. The engineID must be a string of 1-32 octets (2-64
hex digits). The default is that the agent identification is not an engineID. |
HostName |
Specifies the SNMP agent at which the key will be used on an SNMP request. |
IPAddress |
Specifies the IP address in dotted decimal notation of the SNMP agent
at which the key will be used on an SNMP request. |
Password |
Specifies the text string to be used in generating the
keys. The password must be in the range of 8-255 characters long. In general,
while any printable characters can be used in the passwords, the AIX shell
may interpret some characters rather than passing them to the pwtokey command.
Include passwords in single quotes to avoid interpretation of the characters
by the AIX shell.
Note
This password is not related to the
community name (or "password") used with community-based security (SNMPv1
and SNMPv2c). This password is used only to generate keys for user-based security,
an entirely different security scheme. |
Examples
- This example shows a simple invocation of the pwtokey command:
pwtokey testpassword 9.67.113.79
The output from this command looks similar to the following:
Display of 16 byte HMAC-MD5 authKey:
775b109f79a6b71f94cca5d22451cc0e
Display of 16 byte HMAC-MD5 localized authKey:
de25243d5c2765f0ce273e4bcf941701
As this example shows, pwtokey generates two keys--one that is localized (has been tailored
to be usable only at the agent identified) and one that has not been localized.
Typically, the localized key is used in the configuration for the SNMP agent.
The nonlocalized key is used in the configuration for the clsnmp command.
- The pwtokey can be invoked requesting HMAC-SHA keys
for both authentication and privacy, as in the following example:
pwtokey -p HMAC-SHA -u all testpassword 9.67.113.79
The output of this command looks similar to the following:
Display of 20 byte HMAC-SHA authKey:
b267809aee4b8ef450a7872d6e348713f04b9c50
Display of 20 byte HMAC-SHA localized authKey:
e5438092d1098a43e27e507e50d32c0edaa39b7c
Display of 20 byte HMAC-SHA privKey:
b267809aee4b8ef450a7872d6e348713f04b9c50
Display of 16 byte HMAC-SHA localized privKey:
e5438092d1098a43e27e507e50d32c0e
The output for the privacy keys is
the same as the output for the authentication keys, except that the localized
privacy key has been truncated to 16 bytes, as is required for DES.
Note
If encryption is used, it is more secure to use different passwords
for authentication and privacy.
Related Information
The clsnmp command, pwchange command, snmpdv3 daemon.
The /etc/clsnmp.conf file, /etc/snmpdv3.conf file.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]