User Management Commands
User management commands can be found in this section.
loadkey
Loads a shared public key for a Secure Shell (SSH) user.
- user
- The name of a user with which to associate a public key. The user must already be defined on the vRouter .
- file-name
- The name of a shared public key file, including the full path to its location. A shared public key files is typically generated on the remote system by using the Linux ssh-keygen command and has a .pub extension. Its contents include the authentication type (for example, ssh-rsa or ssh-dsa ), key, and remote system user ID (for example, name@domain.com).
Configuration mode
Use this command to load a shared public key for SSH from a file into the public-keys configuration for a user (refer to the system login user <user> authentication public-keys <key-id>. Loading a key from a file avoids having to manually enter the shared public key.
The shared public key, generated on the remote system, can be loaded from a hard disk (including a Flash disk or USB device), a TFTP server, an FTP server, an SCP server, or an HTTP server.
If a public key is loaded that contains a remote system user ID that is the same as an existing public-keys name for a user, the existing key is overwritten.
The following table shows how to specify the syntax for files from different file locations.
Location | Specification |
---|---|
An absolute path on the local system |
Use standard UNIX file specification. |
FTP server |
Use the following syntax for file-name: ftp://user:passwd@host /key-file where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the FTP server, and key-file is the key file, including the path. If you do not specify user and passwd, you are prompted for them. |
SCP server |
Use the following syntax for file-name: scp://user:passwd@host /key-file where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the SCP server, and key-file is the key file, including the path. If you do not specify user and passwd , you are prompted for them. |
HTTP server |
Use the following syntax for file-name: http://host/key-file where host is the host name or IP address of the HTTP server, and key-file is the key file, including the path. |
TFTP server |
Use the following syntax for file-name: tftp://host /key-file where host is the host name or IP address of the TFTP server, and key-file is the key file, including the path relative to the TFTP root directory. |
show login
Displays the login credentials of the current user.
Displays all credentials of the current user.
- groups
- Displays the groups to which the user belongs.
- level
- Displays the login level of the user.
- user
- Displays the login ID of the user.
Operational mode
Use this command to display the login credentials of the current user.
The following example shows how to display the login credentials of the current user.
vyatta@R1:~$ show login
login : vyatta pts/0 Aug 11 17:19 (192.168.1.150)
level : admin
user : vyatta
groups : users adm disk sudo dip vyattacfg
vyatta@R1:~$
show system login users
Displays information about user accounts.
Displays information about vRouter accounts.
- all
- Displays information about all accounts.
- locked
- Displays information about locked accounts.
- other
- Displays information about non-vRouter accounts.
- vyatta
- Displays information about vRouter accounts.
Operational mode
Use this command to display information about system accounts including information about the last time each user logged in.
The following example shows how to display information about vRouter user accounts on R1.
vyatta@vyatta# show system login user
user Vyatta {
authentication {
encrypted-password $1$4XHPj9eT$G3ww9B/pYDLSXC8YVvazP0
}
level admin
}
show system tacplus status
Displays the status of TACACS+.
Operational mode
Use this command to display the status of TACACS+.
The following example shows how to display the status of TACACS+. In this example, the (active) label, which appears next to a server address, has no bearing on the success of the attempted connection. This label identifies the last TACACS+ server to which the vRouter tried to connect.
vyatta@vyatta:~$ show system tacplus status
Server address: 192.168.122.7 (active)
Server port: 49
Authentication requests/replies: 1/1
Authorization requests/replies: 2/2
Accounting requests/replies: 5/5
Failed connects: 0
Server address: 192.168.122.6
Server port: 60
Authentication requests/replies: 0/0
Authorization requests/replies: 0/0
Accounting requests/replies: 0/0
Failed connects: 1
The following example shows the message that is displayed if TACACS+ is not configured.
vyatta@vyatta:~$ show system tacplus status │
Tacplus daemon is not running.
The following example shows that the TACACS+ server at 1.1.1.1 runs in the VRF named red.
vyatta@vyatta:~$ show system tacplus status │
VRF red
Server address: 1.1.1.1 (active)
Server port: 49
Authentication requests/replies: 1/1
Authorization requests/replies: 2/2
Accounting requests/replies: 4/4
Failed connects: 0
system login
Creates the configuration node for user management and authentication.
Configuration mode
system {
login {
}
}
Use this command to create the configuration node for user management and authentication.
The login configuration node is a mandatory node. It is created automatically with default information when the system is first started. If this node is subsequently deleted, the system recreates it with default information.
Use the set form of this command to create the login configuration node.
Use the delete form of this command to restore default user and authentication information.
Use the show form of this command to display user and authentication configuration.
system login banner post-login <banner>
Creates the text of the post-login banner.
The system displays information about the operating system and copyright.
- banner
- The text (banner) to be displayed during login after a user enters a valid password. The banner must be enclosed in double quotation marks (“). Special characters such as new line (\n) and tab (\t) can also be entered.
Configuration mode
system {
login {
banner {
post-login banner
}
}
}
Use this command to create the text (banner) that appears when a user logs in to the system successfully.
Use the set form of this command to create the post-login banner.
Use the delete form of this command to return to the default post-login banner, which is information about the operating system and copyright.
Use the show form of this command to display the post-login banner.
system login banner pre-login <banner>
Create the text of the pre-login banner.
The system displays a welcome message.
- banner
- The text (banner) to be displayed during login after a user enters a login ID. The banner must be enclosed in double quotation marks (“). Special characters such as new line (\n) and tab (\t) can also be entered.
Configuration mode
system {
login {
banner {
pre-login banner
}
}
}
Use this command to create the text (banner) that appears when a user enters a login ID.
Use the set form of this command to create the pre-login banner.
Use the delete form of this command to return to the default pre-login banner which is a welcome message.
Use the show form of this command to display the pre-login banner.
system login group <group-name>
Specifies the text of the group name.
The system displays a welcome message.
- group
- The group to be named.
Configuration mode
system {
login {
group group-name
}
}
Use the set form of this command to create the group name.
Use the delete form of this command to delete the group name.
Use the show form of this command to display the group name.
system login radius-server <address>
Defines a Remote Authentication Dial-In User Service (RADIUS) server for user authentication.
- address
- Multinode. The IP address of a remote authentication server running the RADIUS protocol. This server authenticates multiple users.
You can define multiple RADIUS servers by creating multiple radius-server configuration nodes.
- port
- Optional. A port to be used for RADIUS traffic. The default port is 1812.
- secret
- The secret (password) for the RADIUS server. This secret must be the same as that recorded on the RADIUS server.
The secret consists of alphanumeric and printable special characters (for example, the space character is not permitted). The secret is case sensitive.
- timeout
- Optional. The time-out (interval), in seconds, after which, if the RADIUS server has not responded, the next configured RADIUS server should be queried. The time-out ranges from 1 through 30. The default time-out is 2.
Configuration mode
system {
login {
radius-server address {
port port
}
}
}
Use this command to define a RADIUS server and specify the information necessary to log in to it.
The RADIUS secret is specified and stored in plain text on the system and is used as part of a cryptographic operation for transferring authentication information securely over the network. When you view a RADIUS secret, it is displayed in plain text.
Use the set form of this command to define a RADIUS server.
Use the delete form of this command to remove a RADIUS server.
Use the show form of this command to display RADIUS server configuration.
system login session-timeout
Defines system idle session timeout value in seconds.
Disabled.
- 0
- Disables session time out.
- 0-4294967295
- Session idle duration in seconds before timeout.
Configuration mode
system {
login {
session-timeout value
}
}
Use the set form of this command to define the system idle session timeout value in seconds.
Use the delete form of this command to remove the system idle session timeout value and to restore the default configuration.
Use the show form of this command to display the system idle session timeout value.
system login tacplus-server <address>
Defines a Terminal Access Controller Access Control System Plus (TACACS+) server for user authentication.
- vrf-name
- The name of the VRF instance for which this command is configured.
- address
- Multinode. The IP address or host name of a remote authentication server running TACACS+. This server authenticates multiple users.
You can define multiple TACACS+ servers by creating multiple tacplus-server configuration nodes. Multiple servers are prioritized in the order in which they are configured.
- port
- A port to be used for TACACS+ traffic. The default port is 49.
- secret
- The secret (password) for the TACACS+ server. This secret must be the same as that recorded on the TACACS+ server.
The secret consists of alphanumeric and printable special characters (for example, the space character is not permitted). The secret is case sensitive.
- source-address
- An IP address to use as the source address when connecting to the TACACS+ server. This address is typically not required.
- timeout
- Optional. The time-out (interval), in seconds, after which, if the TACACS+ server has not responded, the next configured TACACS+ server should be queried. The time-out ranges from 1 through 30. The default time-out is 3.
Configuration mode
routing {
routing-instance vrf-name {
system {
login {
tacplus-server address {
port port
secret secret
source-address source-address
timeout timeout
}
}
}
}
}
Use this command to define a TACACS+ server and specify the information necessary to log in to it.
The TACACS+ secret is specified in plain text and stored in plain text on the system and is used as part of a cryptographic operation for transferring authentication information securely over the network. When you view a TACACS+ secret, it is displayed in plain text.
Users doing packet capture need to see the encrypted TACACS+ traffic.
Use the set form of this command to define a TACACS+ server.
Use the delete form of this command to remove a TACACS+ server.
Use the show form of this command to display TACACS+ server configuration.
system login user <user>
Creates a user account.
- user
- Multinode. A unique user ID of up to 32 characters, including alphanumeric characters or hyphens (-).
You can define multiple user accounts by creating multiple user configuration nodes.
Configuration mode
system {
login {
user user
}
}
Use this command to define a user that is authenticated by using the internal mechanism of the system: “login” authentication.
Note that, although user account and authentication information can be changed by using the operating system shell, the system overwrites these changes the next time you commit configuration in the Vyatta shell. For persistent changes to user or authentication information, use Vyatta CLI commands.
In addition, a user cannot be added to the local authentication database if the same username already exists in an accessible remote authentication database (for example, TACACS+).
Use the set form of this command to create a user configuration node.
Use the delete form of this command to remove a user configuration node. Note that you cannot delete the account you are currently using.
Use the show form of this command to display user configuration.
system login user <user> authentication
Sets an authentication password for a user.
- user
- A user ID.
- epwd
- The encrypted password. This password consists of the encrypted characters of the actual password. You can obtain the encrypted characters of the actual password by using the mkpasswd command on the VM.
- ppwd
- The password for the user, specified in plain text. Most special characters can be used with the exception of single quotation marks ('), double quotation marks (“), and backslashes (\).
Configuration mode
system {
login {
user user {
authentication {
encrypted-password epwd
plaintext-password ppwd
}
}
}
}
Use this command to set a password to authenticate a user. When the encrypted password is displayed, the encrypted value is shown. The plain text password appears as double quotation marks in the configuration.
To disable a user account without deleting it, you can simply set the value of the encrypted-password option to an asterisk (*).
Use the set form of this command to set the password for a user.
Use the delete form of this command to remove the password for a user.
Use the show form of this command to display user password configuration.
system login auth-chain method
Sets the order of the authentication.
The default order for the authentication method is TACAS+ server followed by local system-user login.
auth-chain { method tacplus; method login}
- method tacplus
- Specifies the authentication method as TACACS+ server.
- method local
- Specifies the authentication method as local system-user login.
Configuration mode
system {
login {
auth-chain {
method tacplus
method local
}
}
}
Use this command to set the order of authentication by using the authentication chaining method. The system performs authentication in the order of the authentication chain. The scenarios for authentication chaining follow.
- If you specify the authentication method as local, the system uses the local system-user login to authenticate.
- If you specify the authentication method as TACACS +, the system uses the TACACS + authentication. The authentication chain does not proceed to use the local authentication unless the TACAS+ authentication is configured but not working.
- If you use both the TACACS + and local authentication methods, the system attempts the first method. If the first method is successful, the chain does not proceed. If the first method fails, the authentication chain proceeds and the system attempts the next method.
Use the set form of this command to set the order of the authentication chain.
Use the delete form of this command to remove the order of the authentication chain.
Use the show form of this command to display the order of the authentication chain.
system login user <user> authentication public-keys <key-id>
Specifies parameters for a Secure Shell (SSH) shared public key user authentication.
- user
- A user ID.
- key-id
- A key identifier. This identifier is typically in the form user@host and is generated by the ssh-keygen command when used to create the private and public key pair.
- key-value
- The shared public key.
- key-options
- Additional options separated by commas. See the “AUTHORIZED_KEYS FILE FORMAT” section of the sshd manual page ( man sshd) for a detailed description of the available options.
- key-type
- The key (authentication) type to be used, which must be specified. They key is either of the following:
ssh-dsa—Specifies DSA authentication.
ssh-rsa—Specifies RSA authentication.
Configuration mode
system {
login {
user user {
authentication {
public-keys key-id {
key key-value
options key-options
type key-type
}
}
}
}
}
Use this command to specify the parameters to be used for shared public key authentication for logins by using SSH. During commit, these values are placed in the /home/<user>/.ssh/authorized_keys file. Changes to this file can be made only by using this command. All direct user changes to this file are lost.
Rather than specifying these parameters directly by using the set form of this command, the recommended method is to use the loadkey. It populates the key-id, key-value, key-options, and key-type arguments for a specified user given a shared public key file generated by the Linux ssh-keygen command on the remote system.
Shared public key authentication for SSH can be available in addition to password authentication for SSH or it can be used exclusively. If both methods are made available at the same time, then a login prompt appears if a shared public key is not provided at the start of the SSH session. To use only shared public keys for SSH authentication, password authentication for SSH must first be disabled. For information on disabling password authentication for SSH, refer to Ciena Vyatta Network OS Services Configuration Guide.
Use the set form of this command to set the public key parameters.
Use the delete form of this command to remove the public key parameters.
Use the show form of this command to display public key parameters.
system login user <user> full-name <name>
Records the full name of a user.
- user
- A user ID.
- name
- A character string that represents the name of the user, including alphanumeric characters, space, and hyphens (-). A character string that includes spaces must be enclosed in double quotation marks (“).
Configuration mode
system {
login {
user user {
full-name name
}
}
}
Use this command to record the full name of a user.
Use the set form of this command to specify the name of a user.
Use the delete form of this command to remove the name of a user.
Use the show form of this command to display the name of a user.
system login user <user> group <group>
Assigns a user to a group.
- user
- A user ID.
- group
- A character string that represents the group to which the user is to be assigned. Groups are defined in the /etc/group directory.
Configuration mode
system {
login {
user user {
group group
}
}
}
Use this command to assign a user to a group. A user can be a member of multiple groups by running this command once for each group to which the user is to be assigned.
Use the set form of this command to make a user a member of a group.
Use the delete form of this command to remove a user from a group.
Use the show form of this command to display the groups to which a user is assigned.
system login user <user> home-directory <dir>
Specifies the home directory of a user.
The home directory is /home/user.
- user
- A user ID.
- dir
- A character string that represents the home directory of the user. The following is an example: /home/vyatta
Configuration mode
system {
login {
user user {
home-directory dir
}
}
}
Use this command to specify the home directory of a user.
Use the set form of this command to specify the home directory of a user.
Use the delete form of this command to restore the default home directory of a user, which is /home/user.
Use the show form of this command to display the home directory of a user.
system login user <user> level <level>
Specifies the privilege level and system access of a user.
A user is assigned administrative privileges.
- user
- A user ID.
- level
- The privilege level of the user. The level is either of the following:
admin—Assigns administrative privilege to the user. The user can run any command in the Vyatta CLI or the underlying operating system.
operator—Assigns restricted privilege to the user. The user can run operational commands in the Vyatta CLI plus restricted forms of the ping and traceroute commands. The user cannot enter configuration mode or run configuration commands.
superuser—A superuser has the privilege of an admin user. In addition to that, a superuser has access to install or update additional packages, and access or modify internal system files and so on.
Configuration mode
system {
login {
user user {
level level
}
}
}
Use this command to assign role-based system access to a user.
The system supports two system roles:
- Administrator (admin): A user that is assigned a role of admin has full access to all Vyatta-specific commands plus all operating system shell commands. Access to operating system shell commands is direct: the user does not need exit to another shell mode before running these commands. Although admin users can run any command implemented in the system, command completion and CLI help show only vRouter commands.
- Operator: A user that is assigned a role of operator has access to the vRouter operational command set but no access to configuration commands. An operator also has limited access to operating system commands. At this time, command completion and CLI help show all vRouter commands for a user with the operator role.
Use the set form of this command to assign the privilege level to a user.
Use the delete form of this command to restore the privilege level of a user to the default level, which is administrative level.
Use the show form of this command to display the privilege level of a user.
system tacplus-options command-accounting
Enables logging of accounting records for interactive shell (vbash ) commands.
Accounting records are not logged.
Configuration mode
system {
tacplus-options {
command-accounting
}
}
Use this command to enable logging of accounting records for interactive shell commands.
Connections to the system for which commands are logged include SSH, Telnet, console, and serial. Command logging is not limited to TACACS+ authenticated users and accounts for interactive shell commands. Accounting records are logged to the TACACS+ server.
Use the set form of this command to enable logging of accounting records for interactive shell commands.
Use the delete form of this command to restore the default behavior for command accounting, that is, accounting records are not logged.
Use the show form of this command to display the configuration of command accounting.