Problems about snmpd configuration on Ubuntu

Question

I have the following questions about the configuration of snmpd service on Ubuntu server 16.04 LTS:

Question 1:

In the /etc/snmp/snmpd.conf, there is a snippet of comment:

###############################################################################
#
#  SNMPv3 AUTHENTICATION
#
#  Note that these particular settings don't actually belong here.
#  They should be copied to the file /var/lib/snmp/snmpd.conf
#     and the passwords changed, before being uncommented in that file *only*.
#  Then restart the agent

Note the They should be copied to the file /var/lib/snmp/snmpd.conf part.

But in the /var/lib/snmp/snmpd.conf, there's another snippet of comment:

############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
#
#          **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
############################################################################

So should I create user in /var/lib/snmp/snmpd.conf or not?

Question 2:

Should the password part of createUser be cleartext or digest?

Answer 1

This was frustrating for me too and I ran into a few bumps on the road but I think I have deciphered it now.

Issuing ie. the statement createUser mysnmpuser SHA "mystrongpassword" AES in /etc/snmp/snmpd.conf and restarting the snmpd service will generate configuration for mysnmpuser in /var/lib/snmp/snmpd.conf.

After the service restart the password in /etc/snmp/snmpd.conf won't be used again. Hence the recommendation to remove it from the configuration file.

• SHA - Means that the password will be hashed using SHA when authenticating.
• AES - Means that the payload of each packet will be encrypted using AES (using mystrongpassword as key).

You can test your configuration by issuing this command:

snmpwalk -v3 -l authPriv -u mysnmpuser -a SHA -A mystrongpassword -x AES -X mystrongpassword localhost

Please also note that you then also need to add the statement rouser mysnmpuser * (or whatever permission you want to assign to the user) further down in /etc/snmp/snmpd.conf.

Hope that helps someone else!