Skip to main content

11.2. Defining Users

11.2. Defining Users

This section provides guidance on how to define users in the User-based Security Model.

Clone-From Template Users

The recommended approach for defining users is to use template users for cloning. A template user is a user defined at the authoritative SNMP engine that serves as a source for cloning to create new users.

Process:

  1. Define a template user at the authoritative engine with:

    • Authentication protocol
    • Privacy protocol
    • Localized authentication key
    • Localized privacy key

  2. Use the usmUserCloneFrom object to clone the template user to create a new user at either:

    • The same authoritative engine, or
    • A non-authoritative engine

  3. After cloning, use usmUserAuthKeyChange and usmUserPrivKeyChange to set unique keys for the new user.

Password-Based Key Derivation

When creating users, passwords can be converted to keys using the password-to-key algorithm defined in Appendix A.2. This algorithm:

  1. Takes a password (arbitrary length OCTET STRING)
  2. Applies a hash function (MD5 or SHA) repeatedly
  3. Produces a key of the appropriate length

Important: Different passwords may produce the same key if they consist of repetitive patterns. For example, the passwords "maplesyrupmaples" and "maplesyrup" may produce similar intermediate hash values. Therefore:

  • Avoid repetitive password patterns
  • Use passwords at least 8 characters long
  • Ensure password complexity

User Table Management

Users are stored in the usmUserTable. Each entry contains:

  • usmUserEngineID: The snmpEngineID of the SNMP engine
  • usmUserName: The user name
  • usmUserSecurityName: The security name
  • usmUserCloneFrom: The template user to clone from
  • usmUserAuthProtocol: The authentication protocol
  • usmUserAuthKeyChange: Object for changing authentication key
  • usmUserOwnAuthKeyChange: Object for changing own authentication key
  • usmUserPrivProtocol: The privacy protocol
  • usmUserPrivKeyChange: Object for changing privacy key
  • usmUserOwnPrivKeyChange: Object for changing own privacy key
  • usmUserPublic: A publicly readable and writable object
  • usmUserStorageType: The storage type
  • usmUserStatus: The row status

Security Considerations for User Definition

  1. Initial User: At least one user MUST be defined with appropriate security credentials before the SNMP engine can be used for authenticated communication.

  2. Key Strength: Ensure that the keys (whether derived from passwords or randomly generated) have sufficient entropy to resist brute-force attacks.

  3. User Rights: Define users with the minimum necessary privileges. Use the View-based Access Control Model (VACM) to restrict what each user can access.

  4. User Lifecycle: Establish procedures for:

    • Creating users securely
    • Updating user credentials periodically
    • Disabling or deleting users when they are no longer needed
    • Auditing user activities
Last updated on