Converts passwords into localized and non localized authentication and privacy keys.
pwtokey [-e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] Password [ EngineID | HostName | IPAddress ]
AIX® provides a facility called pwtokey that allows conversion of passwords into localized and nonlocalized authentication and privacy keys. The pwtokey procedure takes as input a password and an identifier of the agent and generates authentication and privacy keys. Since the procedure used by the pwtokey facility is the same algorithm used by the clsnmp command, the person configuring the SNMP agent can generate appropriate authentication and privacy keys to put in the snmpd.conf file for a user, given a particular password and the IP address at which the agent will run.
If the IP address or the hostname is specified, the SNMP agent must be an AIX agent. The engineID will be created using a vendor-specific formula that incorporates the IP address of the agent and an enterprise ID representing AIX.
Item | Description |
---|---|
-d DebugLevel | This flag indicates what level of debug information is desired. Debug tracing is either on or off, so a value of 1 causes debug tracing to be generated to the screen of the command issuer (sysout), and a value of 0 specifies that no debug tracing be generated. Debug tracing is off (0) by default. |
-e | This flag indicates that the agent for which the key is being defined is identified by engineID rather than by IP address or host name. |
-p Protocol | This flag indicates the protocols for which the keys should
be generated. Valid values are:
|
-s | This flag indicates that output data should be displayed with additional spaces to improve readability. By default, data is displayed in a condensed format to facilitate cut-and-paste operations on the keys into configuration files or command lines. |
-u KeyUsage | This flag indicates the usage intended for the key. Valid values
are:
|
Item | Description |
---|---|
EngineID | Specifies the engineID of the SNMP agent at which the key will be used. The engineID is determined at SNMP agent initialization from the snmpd.boots file. The engineID must be a string of 1-32 octets (2-64 hex digits). The default is that the agent identification is not an engineID. |
HostName | Specifies the SNMP agent at which the key will be used on an SNMP request. |
IPAddress | Specifies an IPv4 or an IPv6 address of the SNMP agent at which the key will be used on an SNMP request. |
Password | Specifies the text string to be used in generating
the keys. The password must be in the range of 8-255 characters long.
In general, while any printable characters can be used in the passwords,
the AIX shell may interpret
some characters rather than passing them to the pwtokey command. Include
passwords in single quotes to avoid interpretation of the characters
by the AIX shell. Note: This
password is not related to the community name (or "password") used
with community-based security (SNMPv1 and SNMPv2c). This password
is used only to generate keys for user-based security, an entirely
different security scheme.
|
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
pwtokey testpassword 9.67.113.79
The
output from this command looks similar to the following: Display of 16 byte HMAC-MD5 authKey:
775b109f79a6b71f94cca5d22451cc0e
Display of 16 byte HMAC-MD5 localized authKey:
de25243d5c2765f0ce273e4bcf941701
As this example shows, pwtokey generates
two keys—one that is localized (has been tailored to be usable only
at the agent identified) and one that has not been localized. Typically,
the localized key is used in the configuration for the SNMP agent.
The nonlocalized key is used in the configuration for the clsnmp command.pwtokey -p HMAC-SHA -u all testpassword 9.67.113.79
The
output of this command looks similar to the following: Display of 20 byte HMAC-SHA authKey:
b267809aee4b8ef450a7872d6e348713f04b9c50
Display of 20 byte HMAC-SHA localized authKey:
e5438092d1098a43e27e507e50d32c0edaa39b7c
Display of 20 byte HMAC-SHA privKey:
b267809aee4b8ef450a7872d6e348713f04b9c50
Display of 16 byte HMAC-SHA localized privKey:
e5438092d1098a43e27e507e50d32c0e
The output for the privacy
keys is the same as the output for the authentication keys, except
that the localized privacy key has been truncated to 16 bytes, as
is required for DES. pwtokey testpassword 2000:1:1:1:209:6bff:feae:6d67
The
output from this command looks similar to the following: Display of 16 byte HMAC-MD5 authKey:
775b109f79a6b71f94cca5d22451cc0e
Display of 16 byte HMAC-MD5 localized authKey:
2a30fe53690fa6b62dba3f9ea30e11fb
As this example shows,
the pwtokey command generates two keys: one that is localized
(has been tailored to be usable only at the agent identified) and
one that has not been localized. Typically, the localized key is used
in the configuration for the SNMP agent. The non-localized key is
used in the configuration for the clsnmp command. SNMP agent
at which the key will be used on an SNMP request is an IPv6 address.