Configuring User Accounts with the SRC CLI
User accounts provide one way for users to access the system. For each account, you define the login name for the user, properties for the user account, and authentication information. After you create an account, the software creates a home directory for the user when the user logs in to the system for the first time.
Each user has a home directory on the C-series Controller, which is created the first time that the user logs in. Home directories that have the same name as the user ID are created in the /var/home directory; for example, the home directory for a user with the user ID Chris_Bee is /var/home/Chris_Bee.
Configuration Statements for User Accounts
Use the following configuration statements to configure user accounts at the
[edit]
hierarchy level.system login useruser-name
{
classclass;
full-namefull-name;
uiduid;
prompt prompt;level (basic | normal | advanced | expert);complete-on-space (on | off);}system login useruser-name
authentication{plain-text-password;encrypted-password "password
";ssh-authorized-keys [ssh-authorized-keys ...];}For detailed information about each configuration statement, see the SRC-PE CLI Command Reference.
Configuring a User Account
- From configuration mode, access the configuration statement that configures a user account, and specify a username that identifies the user.
[edit]user@host#edit system login user
user-name
The username must be unique within the system. Do not include spaces, colons, or commas in the username. For example:
[edit]user@host#edit system login user JASmith
[edit system login user JASmith]
- Specify the name of the login class that defines the user's access privilege. [edit system login user
user-name]
[edit system login useruser-name
]user@host#set class
class
The login class is one of the login classes that you defined in the
class
statement at the[edit system login]
hierarchy level, or one of the default classes listed in Table 7 on page 64.If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas. For example:
[edit system login user JASmith]user@host#set full-name
"John A. Smith"
- (Optional) Specify a user identifier (UID) for the user.
[edit system login useruser-name
]user@host#set uid
uid
The identifier must be a number in the range 0 through 64,000 and must be unique within the system. If you do not assign a UID to a username, the software assigns one when you commit the configuration, preferring the lowest available number.
You must ensure that the UID is unique. However, it is possible to assign the same UID to different users.
- (Optional) Specify a prompt that the user sees at the SRC CLI.
[edit system login useruser-name
]user@host#set prompt
prompt
- (Optional) Specify the editing level available to the user. The level determines which configuration commands are visible to the user.
[edit system login useruser-name
]user@host# set level
(basic | normal | advanced | expert)
- basic—Minimal set of configuration statements and commands— only the statements that must be configured are visible.
- normal—Normal set of configuration statements and commands— the common and basic statements are visible.
- advanced—All configuration statements and commands, including the common and basic ones, are visible.
- expert—All configuration statements, including common, basic, and internal statements and commands used for debugging, are visible.
- (Optional) Specify whether entering a space completes a command.
[edit system login useruser-name
]user@host# set complete-on-space
(on | off)If you do not enter a value,
complete-on-space
is enabled by default.See Configuring Authentication for User Accounts.
- Display the results of the configuration.
[edit system login]user@host#show
. . .user JASmith {class network-mgmt;full-name "John A. Smith";uid 507;gid 100;authentication {encrypted-password "{crypt}caZEWDaE1au0c";}level normal;complete-on-space on;}Configuring Authentication for User Accounts
You can configure the following types of authentication for user accounts:
- Plain text password—Prompt for a plain text (unencrypted) password. The requirements for plain text passwords are:
- Can contain between 6 and 128 characters
- Can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters).
NOTE: We do not recommend that the password include control characters. We do recommend that the password include at least one change of case or character class.
If you configure a plain text password, you are prompted to enter and confirm the password.
- Encrypted password—Password encoded with crypt. The format of encrypted passwords is "{crypt}<13-characters in a-zA-Z0-9./>".
NOTE: We recommend that you do not enter the password in encrypted format.
- SSH—SSH authentication. For SSH authentication, you can copy the contents of an SSH keys file into a CLI session.
Configuring a Plain Text Password
To configure a plain text password for a user account:
- At the [edit system user
user-name
] hierarchy, enter theset authentication
plain text-password
command. For example:[edit system user JASmith]user@host#set authentication plain-text-password
New password:type password here
Retype new password:retype password here
Configuring SSH Authentication
Before you configure SSH authentication, obtain the contents of SSH key files. You can copy the contents of an SSH keys file into a CLI session:
- On a management machine such as a PC or personal workstation, create an ssh-rsa key:
>ssh-keygen
(provide input)>cat ~/.ssh/id_rsa.pub
- On the C-series Controller enter the
set system login user testuser authentication ssh-authorized-key
command, and paste in the SSH key:user@host#set system login user testuser authentication ssh-authorized-key "
pasted content of id_rsa.pub
"
user@host#set system login user testuser authentication ssh-authorized-key
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvSqAWNdMTQJS9eqG1eqRANI3ML4hH+u7WX/HP0W82gDSPpjghnt1e5de3D8UkuIIEUBf1obgy/7AK c98FqAIvVp5onCiMg8ELD6RYkgOgo7U6zERB25qy3sK1Rn9NzrB20qLzbvAcZW1NIePmf1R99d/Rge7k B/5k6fq3NOG0fc= id@server" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxlwe9HfZ78vbdfq1+AY0uCF79yGPxgGu wGZd9QVdT+dniwGh/4HwLITvKd8SYrhmJsyhz5dWuZm94JSwQosm9BVhJw REt39NYIkLWOjGIMkk8Cxw4TkpFfeIz1cSbeFxtFBFVaBbo4YkEv5ItbuxwvbTWURkvsQa2VJXAqIs7z8= id2@server2eriand" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwwOoUD4m+SazgzF2kRIq5Y2+Ix2zQb CxqBSD1rmW92eLPOQIBv/sEy2d8UNeHpoKot9Px8q9ABriOyONc7vqNsSVnAMyi cQB786uHoabSErVIYscapTYvIGg+olbdhKySbSxOoXMehhgoQS0JZxHCbxsQJip7/7vJPCjRGU8Xq0= id@server3" ];Changing the root Password
An account for the user
root
is always present in the configuration. Only the root user can change the root password.
- Log into the SRC software as
root
.- From operational mode, change the
root
password.root@host>set cli password
Changing password for user root.New UNIX password:You can also create a regular account for
root
and set the SSH key there. The class forroot
is always super-user—if you create an account forroot
, the class is ignored.Example: User Accounts
The following example shows the configuration for user accounts for three system users and the template user "remote." All users use one of the default system login classes.
system login user philip {class super-user;full-name "Philip of Macedonia";uid 1001;authentication {encrypted-password "{crypt}6YPqJe88Wz5fQ";ssh-authorized-keys [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvSqAWNdMTQJS9eqG1eqRANI3ML4hH+u7WX/HP0W82gDSPpjghnt1e5de3D8UkuIIEUBf1obgy/7AK c98FqAIvVp5onCiMg8ELD6RYkgOgo7U6zERB25qy3sK1Rn9NzrB20qLzbvAcZW1NIePmf1R99d/Rge7k B/5k6fq3NOG0fc= id@server" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxlwe9HfZ78vbdfq1+AY0uCF79yGPxgGu wGZd9QVdT+dniwGh/4HwLITvKd8SYrhmJsyhz5dWuZm94JSwQosm9BVhJw REt39NYIkLWOjGIMkk8Cxw4TkpFfeIz1cSbeFxtFBFVaBbo4YkEv5ItbuxwvbTWURkvsQa2VJXAqIs7z8= id2@server2eriand" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwwOoUD4m+SazgzF2kRIq5Y2+Ix2zQb CxqBSD1rmW92eLPOQIBv/sEy2d8UNeHpoKot9Px8q9ABriOyONc7vqNsSVnAMyi cQB786uHoabSErVIYscapTYvIGg+olbdhKySbSxOoXMehhgoQS0JZxHCbxsQJip7/7vJPCjRGU8Xq0= id@server3" ];}user alexander {full-name "Alexander the Great";uid 1002;class view;authentication {encrypted-password "{crypt}6ZSqJe75Tz5fN";ssh-authorized-keys [ "ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAIEAvSqAWNdMTQJS9eqG1eqRANI3ML4hH+u7WX/HP0W82gDSPpjghnt1e5de3D8UkuIIEUBf1obgy/7AKc98FqAIvVp5onCiMg8ELD6RYkgOgo7U6zERB25qy3sK1Rn9NzrB20qLzbvAcZW1NIePmf1R99d/Rge7kB/5k6fq3NOG0fc= id@server" "ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAIEAxlwe9HfZ78vbdfq1+AY0uCF79yGPxgGuwGZd9QVdT+dniwGh/4HwLITvKd8SYrhmJsyhz5dWuZm94JSwQosm9BVhJwREt39NYIkLWOjGIMkk8Cxw4TkpFfeIz1cSbeFxtFBFVaBbo4YkEv5ItbuxwvbTWURkvsQa2VJXAqIs7z8= id2@server2eriand" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwwOoUD4m+SazgzF2kRIq5Y2+Ix2zQbCxqBSD1rmW92eLPOQIBv/sEy2d8UNeHpoKot9Px8q9ABriOyONc7vqNsSVnAMyicQB786uHoabSErVIYscapTYvIGg+olbdhKySbSxOoXMehhgoQS0JZxHCbxsQJip7/7vJPCjRGU8Xq0= id@server3" ];}}user darius {full-name "Darius King of Persia";uid 1003;class operator;authentication {ssh "1024 37 12341234@ecbatana.per";}}user remote {full-name "All remote users";uid 9999;class read-only;}}