home

Supported platforms

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show Page Sections

User Management Commands

User management commands can be found in this section.

loadkey

Loads a shared public key for a Secure Shell (SSH) user.

loadkey userfile-name
user
The name of a user with which to associate a public key. The user must already be defined on the vRouter .
file-name
The name of a shared public key file, including the full path to its location. A shared public key files is typically generated on the remote system by using the Linux ssh-keygen command and has a .pub extension. Its contents include the authentication type (for example, ssh-rsa or ssh-dsa ), key, and remote system user ID (for example, name@domain.com).

Configuration mode

Use this command to load a shared public key for SSH from a file into the public-keys configuration for a user (refer to the system login user <user> authentication public-keys <key-id>. Loading a key from a file avoids having to manually enter the shared public key.

Note: This command can be run only if there are no uncommitted changes.

The shared public key, generated on the remote system, can be loaded from a hard disk (including a Flash disk or USB device), a TFTP server, an FTP server, an SCP server, or an HTTP server.

If a public key is loaded that contains a remote system user ID that is the same as an existing public-keys name for a user, the existing key is overwritten.

The following table shows how to specify the syntax for files from different file locations.

Table 1. Specifying locations for the shared public key file
Location Specification

An absolute path on the local system

Use standard UNIX file specification.

FTP server

Use the following syntax for file-name:

ftp://user:passwd@host /key-file

where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the FTP server, and key-file is the key file, including the path.

If you do not specify user and passwd, you are prompted for them.

SCP server

Use the following syntax for file-name:

scp://user:passwd@host /key-file

where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the SCP server, and key-file is the key file, including the path.

If you do not specify user and passwd , you are prompted for them.

HTTP server

Use the following syntax for file-name:

http://host/key-file

where host is the host name or IP address of the HTTP server, and key-file is the key file, including the path.

TFTP server

Use the following syntax for file-name:

tftp://host /key-file

where host is the host name or IP address of the TFTP server, and key-file is the key file, including the path relative to the TFTP root directory.

show login

Displays the login credentials of the current user.

show login [ groups | level | user ]

Displays all credentials of the current user.

groups
Displays the groups to which the user belongs.
level
Displays the login level of the user.
user
Displays the login ID of the user.

Operational mode

Use this command to display the login credentials of the current user.

The following example shows how to display the login credentials of the current user.


vyatta@R1:~$ show login 
login     : vyatta   pts/0        Aug 11 17:19 (192.168.1.150)
level     : admin
user      : vyatta
groups    : users adm disk sudo dip vyattacfg
vyatta@R1:~$

                

show system login users

Displays information about user accounts.

show system login users [ all | locked | other | vyatta ]

Displays information about vRouter accounts.

all
Displays information about all accounts.
locked
Displays information about locked accounts.
other
Displays information about non-vRouter accounts.
vyatta
Displays information about vRouter accounts.

Operational mode

Use this command to display information about system accounts including information about the last time each user logged in.

The following example shows how to display information about vRouter user accounts on R1.


vyatta@vyatta#  show system login user
user Vyatta {
     authentication {
         encrypted-password $1$4XHPj9eT$G3ww9B/pYDLSXC8YVvazP0
     }
     level admin
 }

show system tacplus status

Displays the status of TACACS+.

show system tacplus status

Operational mode

Use this command to display the status of TACACS+.

The following example shows how to display the status of TACACS+. In this example, the (active) label, which appears next to a server address, has no bearing on the success of the attempted connection. This label identifies the last TACACS+ server to which the vRouter tried to connect.


vyatta@vyatta:~$ show system tacplus status
Server address: 192.168.122.7 (active)
Server port: 49
Authentication requests/replies: 1/1
Authorization requests/replies: 2/2
Accounting requests/replies: 5/5
Failed connects: 0

Server address: 192.168.122.6
Server port: 60
Authentication requests/replies: 0/0
Authorization requests/replies: 0/0
Accounting requests/replies: 0/0
Failed connects: 1

The following example shows the message that is displayed if TACACS+ is not configured.


vyatta@vyatta:~$ show system tacplus status                                                                                                           │
Tacplus daemon is not running.

The following example shows that the TACACS+ server at 1.1.1.1 runs in the VRF named red.


vyatta@vyatta:~$ show system tacplus status                                                                                                           │
VRF red
Server address: 1.1.1.1 (active)
Server port: 49
Authentication requests/replies: 1/1
Authorization requests/replies: 2/2
Accounting requests/replies: 4/4
Failed connects: 0

system login

Creates the configuration node for user management and authentication.

set system login
delete system login
show system login

Configuration mode


system {
    login {
    }
}

Use this command to create the configuration node for user management and authentication.

The login configuration node is a mandatory node. It is created automatically with default information when the system is first started. If this node is subsequently deleted, the system recreates it with default information.

Use the set form of this command to create the login configuration node.

Use the delete form of this command to restore default user and authentication information.

Use the show form of this command to display user and authentication configuration.

system login banner post-login <banner>

Creates the text of the post-login banner.

set system login banner post-login banner
delete system login banner post-login
show system login banner post-login

The system displays information about the operating system and copyright.

banner
The text (banner) to be displayed during login after a user enters a valid password. The banner must be enclosed in double quotation marks (“). Special characters such as new line (\n) and tab (\t) can also be entered.

Configuration mode


system {
    login {
        banner {
            post-login banner 
        }
    }
}

Use this command to create the text (banner) that appears when a user logs in to the system successfully.

Use the set form of this command to create the post-login banner.

Use the delete form of this command to return to the default post-login banner, which is information about the operating system and copyright.

Use the show form of this command to display the post-login banner.

system login banner pre-login <banner>

Create the text of the pre-login banner.

set system login banner pre-login banner
delete system login banner pre-login
show system login banner pre-login

The system displays a welcome message.

banner
The text (banner) to be displayed during login after a user enters a login ID. The banner must be enclosed in double quotation marks (“). Special characters such as new line (\n) and tab (\t) can also be entered.

Configuration mode


system {
    login {
        banner {
            pre-login banner 
        }
    }
}

Use this command to create the text (banner) that appears when a user enters a login ID.

Use the set form of this command to create the pre-login banner.

Use the delete form of this command to return to the default pre-login banner which is a welcome message.

Use the show form of this command to display the pre-login banner.

system login group <group-name>

Specifies the text of the group name.

set system login group group-name
delete system login group group-name
show system login group

The system displays a welcome message.

group
The group to be named.

Configuration mode


system {
    login {
        group group-name 
    }
}

Use the set form of this command to create the group name.

Use the delete form of this command to delete the group name.

Use the show form of this command to display the group name.

system login radius-server <address>

Defines a Remote Authentication Dial-In User Service (RADIUS) server for user authentication.

set system login radius-server address [ port port | secret secret | timeout timeout ]
delete system login radius-server address [ port | secret | timeout ]
show system login radius-server address [ port | secret | timeout ]
address
Multinode. The IP address of a remote authentication server running the RADIUS protocol. This server authenticates multiple users.

You can define multiple RADIUS servers by creating multiple radius-server configuration nodes.

port
Optional. A port to be used for RADIUS traffic. The default port is 1812.
secret
The secret (password) for the RADIUS server. This secret must be the same as that recorded on the RADIUS server.

The secret consists of alphanumeric and printable special characters (for example, the space character is not permitted). The secret is case sensitive.

timeout
Optional. The time-out (interval), in seconds, after which, if the RADIUS server has not responded, the next configured RADIUS server should be queried. The time-out ranges from 1 through 30. The default time-out is 2.

Configuration mode


system {
     login {
          radius-server address {
               port port
          }
     }
}

Use this command to define a RADIUS server and specify the information necessary to log in to it.

The RADIUS secret is specified and stored in plain text on the system and is used as part of a cryptographic operation for transferring authentication information securely over the network. When you view a RADIUS secret, it is displayed in plain text.

Note: RADIUS servers are currently not supported in IPv6.

Use the set form of this command to define a RADIUS server.

Use the delete form of this command to remove a RADIUS server.

Use the show form of this command to display RADIUS server configuration.

system login session-timeout

Defines system idle session timeout value in seconds.

set system login session-timeout { 0 | 0-4294967295 }
delete system login session-timeout [ 0 | 0-4294967295 ]
show system login session-timeout

Disabled.

0
Disables session time out.
0-4294967295
Session idle duration in seconds before timeout.

Configuration mode


system {
     login {
          session-timeout value
     }
}

Use the set form of this command to define the system idle session timeout value in seconds.

Use the delete form of this command to remove the system idle session timeout value and to restore the default configuration.

Use the show form of this command to display the system idle session timeout value.

system login tacplus-server <address>

Defines a Terminal Access Controller Access Control System Plus (TACACS+) server for user authentication.

set [ routing routing-instance vrf-name ] system login tacplus-server address [ port port | secret secret | source-address source-address | timeout timeout ]
delete [ routing routing-instance vrf-name ] system login tacplus-server address [ port | secret | source-address | timeout ]
show [ routing routing-instance vrf-name ] show system login tacplus-server address [ port | secret | source-address | timeout ]
vrf-name
The name of the VRF instance for which this command is configured.
address
Multinode. The IP address or host name of a remote authentication server running TACACS+. This server authenticates multiple users.

You can define multiple TACACS+ servers by creating multiple tacplus-server configuration nodes. Multiple servers are prioritized in the order in which they are configured.

port
A port to be used for TACACS+ traffic. The default port is 49.
secret
The secret (password) for the TACACS+ server. This secret must be the same as that recorded on the TACACS+ server.

The secret consists of alphanumeric and printable special characters (for example, the space character is not permitted). The secret is case sensitive.

source-address
An IP address to use as the source address when connecting to the TACACS+ server. This address is typically not required.
timeout
Optional. The time-out (interval), in seconds, after which, if the TACACS+ server has not responded, the next configured TACACS+ server should be queried. The time-out ranges from 1 through 30. The default time-out is 3.

Configuration mode


routing {
    routing-instance vrf-name {
        system {
             login {
                  tacplus-server address {
                       port port
                       secret secret
                       source-address source-address
                       timeout timeout
                  }
             }
        }
    
    }
}

Use this command to define a TACACS+ server and specify the information necessary to log in to it.

The TACACS+ secret is specified in plain text and stored in plain text on the system and is used as part of a cryptographic operation for transferring authentication information securely over the network. When you view a TACACS+ secret, it is displayed in plain text.

Note: TACACS+ servers are not supported for IPv6.

Users doing packet capture need to see the encrypted TACACS+ traffic.

Use the set form of this command to define a TACACS+ server.

Use the delete form of this command to remove a TACACS+ server.

Use the show form of this command to display TACACS+ server configuration.

system login user <user>

Creates a user account.

set system login user user
delete system login user user
show system login user user
user
Multinode. A unique user ID of up to 32 characters, including alphanumeric characters or hyphens (-).

You can define multiple user accounts by creating multiple user configuration nodes.

Configuration mode


system {
     login {
          user user
     }
}

Use this command to define a user that is authenticated by using the internal mechanism of the system: “login” authentication.

Note that, although user account and authentication information can be changed by using the operating system shell, the system overwrites these changes the next time you commit configuration in the Vyatta shell. For persistent changes to user or authentication information, use Vyatta CLI commands.

In addition, a user cannot be added to the local authentication database if the same username already exists in an accessible remote authentication database (for example, TACACS+).

Use the set form of this command to create a user configuration node.

Use the delete form of this command to remove a user configuration node. Note that you cannot delete the account you are currently using.

Use the show form of this command to display user configuration.

system login user <user> authentication

Sets an authentication password for a user.

set system login user user authentication { encrypted-password epwd | plaintext-password ppwd }
delete system login user user authentication [ encrypted-password | plaintext-password ]
show system login user user authentication [ encrypted-password | plaintext-password ]
user
A user ID.
epwd
The encrypted password. This password consists of the encrypted characters of the actual password. You can obtain the encrypted characters of the actual password by using the mkpasswd command on the VM.
ppwd
The password for the user, specified in plain text. Most special characters can be used with the exception of single quotation marks ('), double quotation marks (“), and backslashes (\).

Configuration mode


system {
    login {
        user user {
            authentication {
            encrypted-password epwd
            plaintext-password ppwd
            }
        }
    }
}

Use this command to set a password to authenticate a user. When the encrypted password is displayed, the encrypted value is shown. The plain text password appears as double quotation marks in the configuration.

CAUTION: If your login user is not a member of the login user group "secrets" and you save a configuration either through the REST API or use the save command, the encrypted passwords in the configuration file are replaced with the ******** placeholder. If you load this configuration, the replaced password fields trigger validation errors because the placeholder does not match the format for an encrypted password. Do not commit this configuration. If you ignore the error message and perform a commit with this invalid configuration, the passwords are deleted.

To disable a user account without deleting it, you can simply set the value of the encrypted-password option to an asterisk (*).

Use the set form of this command to set the password for a user.

Use the delete form of this command to remove the password for a user.

Use the show form of this command to display user password configuration.

system login auth-chain method

Sets the order of the authentication.

set system login auth-chain [ method tacplus | method local ]
delete system login auth-chain [ method tacplus | method local ]
show system login

The default order for the authentication method is TACAS+ server followed by local system-user login.

auth-chain { method tacplus; method login}

method tacplus
Specifies the authentication method as TACACS+ server.
method local
Specifies the authentication method as local system-user login.

Configuration mode


system {
    login {
        auth-chain {
            method tacplus
            method local
        }
    }
}

Use this command to set the order of authentication by using the authentication chaining method. The system performs authentication in the order of the authentication chain. The scenarios for authentication chaining follow.

  • If you specify the authentication method as local, the system uses the local system-user login to authenticate.
  • If you specify the authentication method as TACACS +, the system uses the TACACS + authentication. The authentication chain does not proceed to use the local authentication unless the TACAS+ authentication is configured but not working.
  • If you use both the TACACS + and local authentication methods, the system attempts the first method. If the first method is successful, the chain does not proceed. If the first method fails, the authentication chain proceeds and the system attempts the next method.

Use the set form of this command to set the order of the authentication chain.

Use the delete form of this command to remove the order of the authentication chain.

Use the show form of this command to display the order of the authentication chain.

system login user <user> authentication public-keys <key-id>

Specifies parameters for a Secure Shell (SSH) shared public key user authentication.

set system login user user authentication public-keys key-id [ key key-value | options key-options | type key-type ]
delete system login user user authentication public-keys key-id [ key | options | type ]
show system login user user authentication public-keys key-id [ key | options | type ]
user
A user ID.
key-id
A key identifier. This identifier is typically in the form user@host and is generated by the ssh-keygen command when used to create the private and public key pair.
key-value
The shared public key.
key-options
Additional options separated by commas. See the “AUTHORIZED_KEYS FILE FORMAT” section of the sshd manual page ( man sshd) for a detailed description of the available options.
key-type
The key (authentication) type to be used, which must be specified. They key is either of the following:

ssh-dsa—Specifies DSA authentication.

ssh-rsa—Specifies RSA authentication.

Configuration mode


system {
    login {
        user user {
            authentication {
                public-keys key-id {
                    key key-value                    
																				options key-options                    
																				type key-type                
																}
            }
        }
    }
}

Use this command to specify the parameters to be used for shared public key authentication for logins by using SSH. During commit, these values are placed in the /home/<user>/.ssh/authorized_keys file. Changes to this file can be made only by using this command. All direct user changes to this file are lost.

Rather than specifying these parameters directly by using the set form of this command, the recommended method is to use the loadkey. It populates the key-id, key-value, key-options, and key-type arguments for a specified user given a shared public key file generated by the Linux ssh-keygen command on the remote system.

Shared public key authentication for SSH can be available in addition to password authentication for SSH or it can be used exclusively. If both methods are made available at the same time, then a login prompt appears if a shared public key is not provided at the start of the SSH session. To use only shared public keys for SSH authentication, password authentication for SSH must first be disabled. For information on disabling password authentication for SSH, refer to Ciena Vyatta Network OS Services Configuration Guide.

Use the set form of this command to set the public key parameters.

Use the delete form of this command to remove the public key parameters.

Use the show form of this command to display public key parameters.

system login user <user> full-name <name>

Records the full name of a user.

set system login user user full-name name
delete system login user user full-name
show system login user user full-name
user
A user ID.
name
A character string that represents the name of the user, including alphanumeric characters, space, and hyphens (-). A character string that includes spaces must be enclosed in double quotation marks (“).

Configuration mode


system {
    login {
        user user {
            full-name name
        }
    }
}

Use this command to record the full name of a user.

Use the set form of this command to specify the name of a user.

Use the delete form of this command to remove the name of a user.

Use the show form of this command to display the name of a user.

system login user <user> group <group>

Assigns a user to a group.

set system login user user group group
delete system login user user group
show system login user user group
user
A user ID.
group
A character string that represents the group to which the user is to be assigned. Groups are defined in the /etc/group directory.

Configuration mode


system {
    login {
        user user {
             group group
        }
    }
}

Use this command to assign a user to a group. A user can be a member of multiple groups by running this command once for each group to which the user is to be assigned.

Use the set form of this command to make a user a member of a group.

Use the delete form of this command to remove a user from a group.

Use the show form of this command to display the groups to which a user is assigned.

system login user <user> home-directory <dir>

Specifies the home directory of a user.

set system login user user home-directory dir
delete system login user user home-directory
show system login user user home-directory

The home directory is /home/user.

user
A user ID.
dir
A character string that represents the home directory of the user. The following is an example: /home/vyatta

Configuration mode


system {
     login {
          user user {
               home-directory dir
          }
     }
}

Use this command to specify the home directory of a user.

Use the set form of this command to specify the home directory of a user.

Use the delete form of this command to restore the default home directory of a user, which is /home/user.

Use the show form of this command to display the home directory of a user.

system login user <user> level <level>

Specifies the privilege level and system access of a user.

set system login user user level level
delete system login user user level
show system login

A user is assigned administrative privileges.

user
A user ID.
level
The privilege level of the user. The level is either of the following:

admin—Assigns administrative privilege to the user. The user can run any command in the Vyatta CLI or the underlying operating system.

operator—Assigns restricted privilege to the user. The user can run operational commands in the Vyatta CLI plus restricted forms of the ping and traceroute commands. The user cannot enter configuration mode or run configuration commands.

superuser—A superuser has the privilege of an admin user. In addition to that, a superuser has access to install or update additional packages, and access or modify internal system files and so on.

Configuration mode


system {
    login {
        user user {
            level level
        }
    }
}

Use this command to assign role-based system access to a user.

The system supports two system roles:

  • Administrator (admin): A user that is assigned a role of admin has full access to all Vyatta-specific commands plus all operating system shell commands. Access to operating system shell commands is direct: the user does not need exit to another shell mode before running these commands. Although admin users can run any command implemented in the system, command completion and CLI help show only vRouter commands.
  • Operator: A user that is assigned a role of operator has access to the vRouter operational command set but no access to configuration commands. An operator also has limited access to operating system commands. At this time, command completion and CLI help show all vRouter commands for a user with the operator role.

Use the set form of this command to assign the privilege level to a user.

Use the delete form of this command to restore the privilege level of a user to the default level, which is administrative level.

Use the show form of this command to display the privilege level of a user.

system tacplus-options command-accounting

Enables logging of accounting records for interactive shell (vbash ) commands.

set system tacplus-options command-accounting
delete system tacplus-options command-accounting
show system tacplus-options

Accounting records are not logged.

Configuration mode


system {
     tacplus-options {
          command-accounting
     }
}

Use this command to enable logging of accounting records for interactive shell commands.

Connections to the system for which commands are logged include SSH, Telnet, console, and serial. Command logging is not limited to TACACS+ authenticated users and accounts for interactive shell commands. Accounting records are logged to the TACACS+ server.

Use the set form of this command to enable logging of accounting records for interactive shell commands.

Use the delete form of this command to restore the default behavior for command accounting, that is, accounting records are not logged.

Use the show form of this command to display the configuration of command accounting.