pwtokey Command

Purpose

Converts passwords into localized and non localized authentication and privacy keys.

Syntax

pwtokey [-e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] Password [ EngineID | HostName | IPAddress ]

Description

AIX® provides a facility called pwtokey that allows conversion of passwords into localized and nonlocalized authentication and privacy keys. The pwtokey procedure takes as input a password and an identifier of the agent and generates authentication and privacy keys. Since the procedure used by the pwtokey facility is the same algorithm used by the clsnmp command, the person configuring the SNMP agent can generate appropriate authentication and privacy keys to put in the snmpd.conf file for a user, given a particular password and the IP address at which the agent will run.

If the IP address or the hostname is specified, the SNMP agent must be an AIX agent. The engineID will be created using a vendor-specific formula that incorporates the IP address of the agent and an enterprise ID representing AIX.

Flags

Item Description
-d DebugLevel This flag indicates what level of debug information is desired. Debug tracing is either on or off, so a value of 1 causes debug tracing to be generated to the screen of the command issuer (sysout), and a value of 0 specifies that no debug tracing be generated. Debug tracing is off (0) by default.
-e This flag indicates that the agent for which the key is being defined is identified by engineID rather than by IP address or host name.
-p Protocol This flag indicates the protocols for which the keys should be generated. Valid values are:
HMAC-MD5
Generates keys for use with the HMAC-MD5 authentication protocol.
HMAC-SHA
Generates keys for use with the HMAC-SHA authentication protocol
all
Generates both HMAC-MD5 and HMAC-SHA keys.
The default is that keys for the HMAC-MD5 protocol are generated.
-s This flag indicates that output data should be displayed with additional spaces to improve readability. By default, data is displayed in a condensed format to facilitate cut-and-paste operations on the keys into configuration files or command lines.
-u KeyUsage This flag indicates the usage intended for the key. Valid values are:
auth
An authentication key.
priv
A privacy key.
all
Both authentication and privacy keys.
Note: There is no difference between a key generated for authentication and a key generated for privacy. However, the length of privacy keys depends on whether the key is localized or not.

Parameters

Item Description
EngineID Specifies the engineID of the SNMP agent at which the key will be used. The engineID is determined at SNMP agent initialization from the snmpd.boots file. The engineID must be a string of 1-32 octets (2-64 hex digits). The default is that the agent identification is not an engineID.
HostName Specifies the SNMP agent at which the key will be used on an SNMP request.
IPAddress Specifies an IPv4 or an IPv6 address of the SNMP agent at which the key will be used on an SNMP request.
Password Specifies the text string to be used in generating the keys. The password must be in the range of 8-255 characters long. In general, while any printable characters can be used in the passwords, the AIX shell may interpret some characters rather than passing them to the pwtokey command. Include passwords in single quotes to avoid interpretation of the characters by the AIX shell.
Note: This password is not related to the community name (or "password") used with community-based security (SNMPv1 and SNMPv2c). This password is used only to generate keys for user-based security, an entirely different security scheme.

Security

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. This example shows a simple invocation of the pwtokey command:
    pwtokey testpassword 9.67.113.79
    The output from this command looks similar to the following:
    Display of 16 byte HMAC-MD5 authKey: 
     775b109f79a6b71f94cca5d22451cc0e
    
    Display of 16 byte HMAC-MD5 localized authKey: 
     de25243d5c2765f0ce273e4bcf941701
    As this example shows, pwtokey generates two keys—one that is localized (has been tailored to be usable only at the agent identified) and one that has not been localized. Typically, the localized key is used in the configuration for the SNMP agent. The nonlocalized key is used in the configuration for the clsnmp command.
  2. The pwtokey can be invoked requesting HMAC-SHA keys for both authentication and privacy, as in the following example:
    pwtokey -p HMAC-SHA -u all testpassword 9.67.113.79
    The output of this command looks similar to the following:
    Display of 20 byte HMAC-SHA authKey: 
     b267809aee4b8ef450a7872d6e348713f04b9c50 
    
    Display of 20 byte HMAC-SHA localized authKey: 
     e5438092d1098a43e27e507e50d32c0edaa39b7c 
    
    Display of 20 byte HMAC-SHA privKey: 
     b267809aee4b8ef450a7872d6e348713f04b9c50 
    
    Display of 16 byte HMAC-SHA localized privKey: 
     e5438092d1098a43e27e507e50d32c0e
    The output for the privacy keys is the same as the output for the authentication keys, except that the localized privacy key has been truncated to 16 bytes, as is required for DES.
    Note: If encryption is used, it is more secure to use different passwords for authentication and privacy.
  3. The following example shows that the pwtokey command is using an IPv6 address:
    pwtokey testpassword 2000:1:1:1:209:6bff:feae:6d67
    The output from this command looks similar to the following:
    Display of 16 byte HMAC-MD5 authKey:
     775b109f79a6b71f94cca5d22451cc0e
    
    Display of 16 byte HMAC-MD5 localized authKey:
     2a30fe53690fa6b62dba3f9ea30e11fb
    As this example shows, the pwtokey command generates two keys: one that is localized (has been tailored to be usable only at the agent identified) and one that has not been localized. Typically, the localized key is used in the configuration for the SNMP agent. The non-localized key is used in the configuration for the clsnmp command. SNMP agent at which the key will be used on an SNMP request is an IPv6 address.