snmpd.conf.5

eCos操作系统源码

The reason for the mask is, that it allows you to control access to
one row in a table, in a relatively simple way. As an example, as an ISP
you might consider giving each customer access to his or her own interface:
.IP
.nf
view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0
.IP
(interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
ff.a0 == 11111111.10100000. which nicely covers up and including
the row index, but lets the user vary the field of the row)
.IP "VACM Examples:"
.nf
#       sec.name  source          community
com2sec local     localhost       private
com2sec mynet     10.10.10.0/24   public
com2sec public    default         public

#             sec.model  sec.name
group mygroup v1         mynet
group mygroup v2c        mynet
group mygroup usm        mynet
group local   v1         local
group local   v2c        local
group local   usm        local
group public  v1         public
group public  v2c        public
group public  usm        public

#           incl/excl subtree                          mask
view all    included  .1                               80
view system included  system                           fe
view mib2   included  .iso.org.dod.internet.mgmt.mib-2 fc

#              context sec.model sec.level prefix read   write notify
access mygroup ""      any       noauth    exact  mib2   none  none
access public  ""      any       noauth    exact  system none  none
access local   ""      any       noauth    exact  all    all   all
.IP "Default VACM model"
The default configuration of the agent, as shipped, is functionally
equivalent to the following entries:
.nf
com2sec	public	default	public
group	public	v1	public
group	public	v2c	public
group	public	usm	public
view 	all	included	.1
access	public	""	any	noauth	exact	all	none	none
.SH SNMPv3 CONFIGURATION
.PP
.IP "engineID STRING"
The snmpd agent needs to be configured with an engineID to be able to
respond to SNMPv3 messages.  With this configuration file line, the
engineID will be configured from STRING.  The default value of the
engineID is configured with the first IP address found for the
hostname of the machine.
.IP "createUser username (MD5|SHA) authpassphrase [DES] [privpassphrase]"
This directive should be placed into the
"/var/ucd-snmp"/snmpd.conf file instead of the other normal
locations.  The reason is that the information is read from the file
and then the line is removed (eliminating the storage of the master
password for that user) and replaced with the key that is derived from 
it.  This key is a localized key, so that if it is stolen it can not
be used to access other agents.  If the password is stolen, however,
it can be.
.IP
MD5 and SHA are the authentication types to use, but you must have
built the package with openssl installed in order to use SHA.  The
only privacy protocol currently supported is DES.  If the privacy
passphrase is not specified, it is assumed to be the same as the
authentication passphrase.  Note that the users created will be
useless unless they are also added to the VACM access control tables
described above.
.IP
Warning: the minimum pass phrase length is 8 characters.
.IP
SNMPv3 users can be created at runtime using the
.I snmpusm
command.
.IP
.SH SETTING SYSTEM INFORMATION
.IP "syslocation STRING"
.IP "syscontact STRING"
.IP
Sets the system location and the system contact for the agent.  This
information is reported by the 'system' table in the mibII tree.
.IP "authtrapenable NUMBER"
Setting authtrapenable to 1 enables generation of authentication failure
traps. The default value is 2 (disable).
.IP "trapcommunity STRING"
This defines the default community string to be used when sending traps.
Note that this command must be used prior to any of the following three
commands that are intended use this community string.
.IP "trapsink HOST [COMMUNITY [PORT]]"
.IP "trap2sink HOST [COMMUNITY [PORT]]"
.IP "informsink HOST [COMMUNITY [PORT]]"
These commands define
the hosts to receive traps (and/or inform notifications). The
daemon sends a Cold Start trap when it starts up. If enabled, it also sends
traps on authentication failures.  Multiple \fItrapsink\fR, \fItrap2sink\fR
and \fIinformsink\fR lines may be specified to specify multiple destinations.
Use \fItrap2sink\fR to send SNMPv2 traps and \fIinformsink\fR to send
inform notifications.
If COMMUNITY is not specified, the string from a preceding \fItrapcommunity\fR
directive will be used. If PORT is not specified, the well known SNMP trap
port (162) will be used.
.SH "PASS-THROUGH CONTROL"
.IP "pass MIBOID EXEC"
Passes entire control of MIBOID to the EXEC program.  The EXEC program
is called in one of the following three ways:
.RS
.IP "EXEC -g MIBOID"
.IP "EXEC -n MIBOID"
.IP
These call lines match to SNMP get and getnext requests.  It is
expected that the EXEC program will take the arguments passed to it
and return the appropriate response through it's stdout.  
.IP
The first line of stdout should be the mib OID of the returning value.
The second line should be the TYPE of value returned, where TYPE is
one of the text strings:
.B string, integer, unsigned, objectid, timeticks, ipaddress, counter, 
or
.B gauge.
The third line of stdout should be the VALUE corresponding with the
returned TYPE.
.IP
For instance, if a script was to return the value integer value "42"
when a request for .1.3.6.1.4.100 was requested, the script should
return the following 3 lines:
.br
.RS
  .1.3.6.1.4.100
.br
  integer
.br
  42
.RE
.IP
To indicate that the script is unable to comply with the request due
to an end-of-mib condition or an invalid request, simple exit and
return no output to stdout at all.  A snmp error will be generated
corresponding to the SNMP NO-SUCH-NAME response.
.IP "EXEC -s MIBOID TYPE VALUE"
.IP 
For SNMP set requests, the above call method is used.  The TYPE passed
to the EXEC program is one of the text strings:
.B integer, counter, gauge, timeticks, ipaddress, objid,
or 
.B string,
indicating the type of value passed in the next argument.
.IP
Return nothing to stdout, and the set will assumed to have been
successful.  Otherwise, return one of the following error strings to
signal an error:
.B not-writable, 
or 
.B wrong-type
and the appropriate error response will be generated instead.
.RS
.IP Note:
By default, the only community allowed to write (ie snmpset) to your
script will be the "private" community,or community #2 if defined
differently by the "community" token discussed above.  Which
communities are allowed write access are controlled by the RWRITE
definition in the snmplib/snmp_impl.h source file.
.RE
.RE
.SH "EXAMPLE"
See the EXAMPLE.CONF file in the top level source directory for a more
detailed example of how the above information is used in real
examples.
.SH "RE-READING snmpd.conf and snmpd.local.conf"
The ucd-snmp agent can be forced to re-read its configuration files.
It can be told to do so by one of two ways:
.IP 1.
An snmpset of integer(1) to 1.3.6.1.4.1.2021.100.VERUPDATECONFIG.
.IP 2.
A "kill -HUP" signal sent to the snmpd agent process.
.SH "FILES"
share/snmp/snmpd.conf
.SH "SEE ALSO"
snmp_config(5), snmpd(1), EXAMPLE.conf, read_config(3).
.\" Local Variables:
.\"  mode: nroff
.\" End: