Supported Platforms
Related Documentation
- M, MX, PTX, T Series
- Defining Junos OS Login Classes
- Junos OS User Accounts Overview
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, PTX, QFX, T Series
- Example: Creating Login Classes with Specific Privileges
- Additional Information
- User Access and Authentication Feature Guide for Routing Devices
Configuring Junos OS User Accounts
User accounts provide a way for users to access the router or switch. Junos OS requires that all users have a predefined account before they can log in to the device. For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.
It is a common practice to use remote authentication servers to centrally store information about users. Even so, it is also a good practice to configure at least one non-root user directly on each device, in case access to the remote authentication server is disrupted. This one non-root user commonly has a generic name, such as admin.
Because user accounts are configured on multiple devices, they are commonly configured inside of a configuration group. As such, the examples shown here are in a configuration group called global. Using a configuration group for your user accounts is optional.
To create a user account:
- Add a new user, using the user’s assigned account
login name.[edit groups global]user@host# edit system login user user username
- (Optional) Configure a full descriptive name for the account.
If the full name includes spaces, enclose the entire name in quotation marks.
[edit groups global system login user user-name]user@host# set full-name complete-nameFor example:
user@host# show groupsglobal {system {login {user admin {full-name "general administrator";}}}} - (Optional) Set the user identifier (UID) for the account.
As with UNIX systems, the UID enforces user permissions and file access. If you do not set the UID, Junos OS assigns one for you. The format of the UID is a number in the range of 100 to 64000.
[edit groups global system login user user-name]user@host# set uid uid-valueFor example:
user@host# show groupsglobal {system {login {user admin {uid 9999;}}}} - Assign the user to a login class.
You can define your own login classes or assign one of the predefined Junos OS login classes.
The predefined login classes are as follows:
- super-user—all permissions
- operator—clear, network, reset, trace, and view permissions
- read-only— view permissions
- unauthorized—no permissions
[edit groups global system login user user-name]user@host# set class class-nameFor example:
user@host# show groupsglobal {system {login {user admin {class super-user;}}}} - Use one of the following methods to configure the user
password.
- To enter a clear-text password that the system encrypts
for you, use the following command to set the user password:[edit groups global system login user user-name]user@host# set authentication plain-text-password passwordNew Password: type password hereRetype new password: retype password here
As you enter the password in plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to encrypt the password as in some other systems. Plain-text passwords are therefore hidden and marked as ## SECRET-DATA in the configuration.
- To enter a password that is already encrypted, use the
following command to set the user password:
Caution: Do not use the encrypted-password option unless the password is already encrypted, and you are entering the encrypted version of the password.
If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as this user.
[edit groups global system login user user-name]user@host# set authentication encrypted-password "password"New Password: type password hereRetype new password: retype password here - To load previously generated public keys from a named
file at a specified URL location, use the following command to set
the user password:[edit groups global system login user user-name]user@host# set authentication load-key-file URL filename
- To enter an ssh public
string, use the following command to set the user password:[edit groups global system login user user-name]user@host# set authentication (ssh-dsa | ssh-ecdsa | ssh-rsa) authorized-key
- To enter a clear-text password that the system encrypts
for you, use the following command to set the user password:
- At the top level of the configuration, apply the configuration
group.
If you use a configuration group, you must apply it for it to take effect.
[edit]user@host# set apply-groups global - Commit the configuration.user@host# commit
- To verify the configuration, log out and log back in as the new user.
Related Documentation
- M, MX, PTX, T Series
- Defining Junos OS Login Classes
- Junos OS User Accounts Overview
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, PTX, QFX, T Series
- Example: Creating Login Classes with Specific Privileges
- Additional Information
- User Access and Authentication Feature Guide for Routing Devices
Published: 2013-10-28
Supported Platforms
Related Documentation
- M, MX, PTX, T Series
- Defining Junos OS Login Classes
- Junos OS User Accounts Overview
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, PTX, QFX, T Series
- Example: Creating Login Classes with Specific Privileges
- Additional Information
- User Access and Authentication Feature Guide for Routing Devices
