Home page Net-SNMP

Archive Search:

Require all words?

Site Search:
Net-SNMP Tutorial -- SNMPv3 Options

Net-SNMP Tutorial -- SNMPv3 Options


The 3rd version of the SNMP protocol introduced a whole slew of new security related features that have been missing from the previous versions. In SNMPv1 and SNMPv2c, a simple community string was put in clear text into the packet to authenticate the request. This is obviously highly insecure. (If its not obvious, then just trust me).

SNMPv3 introduces advanced security which splits the authentication and the authorization into two pieces:

This document will discuss how to use the net-snmp tools to get and set data from a remote host.


A user's profile contains the following data:

Well, thats nice but what does it mean?

To summarize the most importantly each user has a name (called a securityName) an authentication type (authProtocol) and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).

Authentication is performed by using a users authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length.

Authentication is performed by using a users privKey to encrypt the data portion the message being sent. The privProtocol can be either AES or DES.

Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted by setting the securityLevel to use.

All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.

ParameterCommand Line Flagsnmp.conf token
securityName-u NAMEdefSecurityName NAME
authProtocol-a (MD5|SHA)defAuthType (MD5|SHA)
privProtocol-x (AES|DES)defPrivType DES
authKey-A PASSPHRASEdefAuthPassphrase PASSPHRASE
privKey-X PASSPHRASEdefPrivPassphrase PASSPHRASE
securityLevel-l (noAuthNoPriv|authNoPriv|authPriv)defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv)


Here is a completely unauthenticated request (which still needs a user name, none the less):

Here is a authenticated request:

And finally, here is an authenticated and encrypted request:

Of course, they don't look much different since they all worked identically. But, the host above allows us to look at it using any level of authentication. Any hosts you set up should be more restricted than that and require at least a level of authNoPriv when you configure the VACM access control.

Finally, consider a snmp.conf file that looks like this:

This sets up the defaults for you so that your snmp commands can boil down to something as simple as:




Last modified: Thursday, 26-May-2011 23:21:32 UTC
For questions regarding web content and site functionality, please write to the net-snmp-users mail list.