encode_keychange - produce the KeyChange string for SNMPv3
encode_keychange -t md5|sha1 [OPTIONS]
encode_keychange produces a KeyChange string using the old
and new passphrases as described in Section 5 of RFC 2274 "User-based
Security Model (USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)". -t option is mandatory and specifies the hash
transform type to use.
The transform is used to convert passphrase to master key for a
given user (Ku), convert master key to the localized key (Kul), and to hash
the old Kul with the random bits.
Passphrases are obtained by examining a number of sources until
success (in order listed):
- command line options (see -N and -O options below);
- the file $HOME/.snmp/passphrase.ek which should only contain two
lines with old and new passphrase;
- standard input -or- user input from the terminal.
- -E
[0x]<engineID> EngineID used for Kul generation.
- <engineID> is intepreted as a hex string when preceeded by
0x, otherwise it is treated as a text string. If no
<engineID> is specified, it is constructed from the first IP
address for the local host.
- -f
- Force passphrases to be read from standard input.
- -h
- Display the help message.
- -N
"<new_passphrase>"
- Passphrase used to generate the new Ku.
- -O
"<old_passphrase>"
- Passphrase used to generate the old Ku.
- -P
- Turn off the prompt for passphrases when getting data from standard
input.
- -v
- Be verbose.
- -V
- Echo passphrases to terminal.
The localized key method is defined in RFC 2274, Sections 2.6 and
A.2, and originally documented in
- U. Blumenthal, N. C. Hien, B. Wijnen, "Key Derivation for Network
Management Applications", IEEE Network Magazine, April/May issue,
1997.