pwtokey Command
Purpose
Converts passwords into localized and non localized authentication and privacy keys.
Syntax
pwtokey [-e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] Password [ EngineID | HostName | IPAddress ]
Description
AIX® provides a facility called pwtokey that allows conversion of passwords into localized and nonlocalized authentication and privacy keys. The pwtokey procedure takes as input a password and an identifier of the agent and generates authentication and privacy keys. Since the procedure used by the pwtokey facility is the same algorithm used by the clsnmp command, the person configuring the SNMP agent can generate appropriate authentication and privacy keys to put in the snmpd.conf file for a user, given a particular password and the IP address at which the agent will run.
If the IP address or the hostname is specified, the SNMP agent must be an AIX agent. The engineID will be created using a vendor-specific formula that incorporates the IP address of the agent and an enterprise ID representing AIX.
Flags
| Item | Description |
|---|---|
| -d DebugLevel | This flag indicates what level of debug information is desired. Debug tracing is either on or off, so a value of 1 causes debug tracing to be generated to the screen of the command issuer (sysout), and a value of 0 specifies that no debug tracing be generated. Debug tracing is off (0) by default. |
| -e | This flag indicates that the agent for which the key is being defined is identified by engineID rather than by IP address or host name. |
| -p Protocol | This flag indicates the protocols for which the keys should
be generated. Valid values are:
|
| -s | This flag indicates that output data should be displayed with additional spaces to improve readability. By default, data is displayed in a condensed format to facilitate cut-and-paste operations on the keys into configuration files or command lines. |
| -u KeyUsage | This flag indicates the usage intended for the key. Valid values
are:
|
Parameters
| Item | Description |
|---|---|
| EngineID | Specifies the engineID of the SNMP agent at which the key will be used. The engineID is determined at SNMP agent initialization from the snmpd.boots file. The engineID must be a string of 1-32 octets (2-64 hex digits). The default is that the agent identification is not an engineID. |
| HostName | Specifies the SNMP agent at which the key will be used on an SNMP request. |
| IPAddress | Specifies an IPv4 or an IPv6 address of the SNMP agent at which the key will be used on an SNMP request. |
| Password | Specifies the text string to be used in generating
the keys. The password must be in the range of 8-255 characters long.
In general, while any printable characters can be used in the passwords,
the AIX shell may interpret
some characters rather than passing them to the pwtokey command. Include
passwords in single quotes to avoid interpretation of the characters
by the AIX shell. Note: This
password is not related to the community name (or "password") used
with community-based security (SNMPv1 and SNMPv2c). This password
is used only to generate keys for user-based security, an entirely
different security scheme.
|
Security
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
- This example shows a simple invocation of the pwtokey command:
The output from this command looks similar to the following:pwtokey testpassword 9.67.113.79
As this example shows, pwtokey generates two keys—one that is localized (has been tailored to be usable only at the agent identified) and one that has not been localized. Typically, the localized key is used in the configuration for the SNMP agent. The nonlocalized key is used in the configuration for the clsnmp command.Display of 16 byte HMAC-MD5 authKey: 775b109f79a6b71f94cca5d22451cc0e Display of 16 byte HMAC-MD5 localized authKey: de25243d5c2765f0ce273e4bcf941701 - The pwtokey can be invoked requesting HMAC-SHA keys for
both authentication and privacy, as in the following example:
The output of this command looks similar to the following:pwtokey -p HMAC-SHA -u all testpassword 9.67.113.79
The output for the privacy keys is the same as the output for the authentication keys, except that the localized privacy key has been truncated to 16 bytes, as is required for DES.Display of 20 byte HMAC-SHA authKey: b267809aee4b8ef450a7872d6e348713f04b9c50 Display of 20 byte HMAC-SHA localized authKey: e5438092d1098a43e27e507e50d32c0edaa39b7c Display of 20 byte HMAC-SHA privKey: b267809aee4b8ef450a7872d6e348713f04b9c50 Display of 16 byte HMAC-SHA localized privKey: e5438092d1098a43e27e507e50d32c0eNote: If encryption is used, it is more secure to use different passwords for authentication and privacy. - The following example shows that the pwtokey command is
using an IPv6 address:
The output from this command looks similar to the following:pwtokey testpassword 2000:1:1:1:209:6bff:feae:6d67
As this example shows, the pwtokey command generates two keys: one that is localized (has been tailored to be usable only at the agent identified) and one that has not been localized. Typically, the localized key is used in the configuration for the SNMP agent. The non-localized key is used in the configuration for the clsnmp command. SNMP agent at which the key will be used on an SNMP request is an IPv6 address.Display of 16 byte HMAC-MD5 authKey: 775b109f79a6b71f94cca5d22451cc0e Display of 16 byte HMAC-MD5 localized authKey: 2a30fe53690fa6b62dba3f9ea30e11fb