Configuring JDM User Accounts and Authentication
JDM User Accounts Overview
On a disaggregated Junos OS platform, all computing elements are separate compute entities, and their user accounts and passwords are managed separately. For example, JDM user accounts, including the root user account, are completely separate from the Junos VM user accounts.
Root Account
In the factory-default configuration, the JDM is set up with a root user account. However, there is no password set for the account. You must configure a root password as part of the initial configuration. If the initial configuration of the platform is performed through the phone home feature, the configuration must contain the root password setting. Until you configure a root password, you cannot access some of the user prompts and you cannot commit a configuration by using the JDM CLI.
You can set the root password only from the JDM CLI. You cannot set or change the root password from the JDM shell. The JDM root password is automatically propagated to the JDM shell.
Auto Login for Junos VNFs
When Junos VNFs such as JCP and vSRX are present on an NFX250 device, JDM auto login account allows you to login to Junos VNF without a password.
To configure auto login to JDM:
root@jdm> request setup jdm-auto-login
To login to Junos VNF from JDM:
root@jdm> ssh jdm-sysuser@vjunos0
Other User Accounts
You can create user accounts other than the root account in the JDM. To do this, you must use the JDM CLI. You cannot use the JDM shell to create user accounts.
The JDM supports the same features for user accounts as does Junos OS. That is, the JDM supports login classes, custom password requirements, limits on the number of login attempts, and so on.
User Authentication
The JDM supports two of the three methods for user authentication that Junos OS supports: local password authentication and TACACS+ authentication. It does not support RADIUS authentication.
Configuring JDM User Accounts and Authentication
You create user accounts and configure authentication for those accounts in JDM the same way you do in Junos OS. This topic provides some brief guidance on how to configure user accounts and authentication. For more details, consult the Junos OS documentation.
To set the JDM root password:
root@jdm# set system root-authentication plain-text-password
You must use the JDM CLI to set the root password. You cannot set the root password using the JDM shell.
To create a new JDM user account:
root@jdm# set system login user user-name class class-name authentication plain-text-password
You cannot create JDM user accounts from the JDM shell.
To configure SSH keys for a user to enable SSH without a password:
root@jdm# set system login user user-name load-key-file URL-to-ssh-key-file
To configure TACAS+ authentication for user accounts:
root@jdm# set system tacplus-server server-address secret password
Note:TACACS+ is used to support SSH authentication, and once configured, TACACS+ configuration is applicable for both, JDM and host SSH authentication. On the host, TACACS+ is used to authenticate SSH requests only for the root account and when requested from outside the device.
Optionally, you can specify the TACACS+ authentication server port number and the timeout period. To do so:
root@jdm# set system tacplus-server server-address port port-number
root@jdm# set system tacplus-server server-address timeout period
Note:By default, the TACACS+ port number is set to 49, and the timeout period is set to 5 seconds.
You must also configure the user name along with the class of the user locally on JDM:
root@jdm# set system login user user-name root@jdm# set system login user user-name class super-user
To allow users to log in to the NFX250 device as a root user:
root@jdm# root-login allow
To prevent users from logging in to the NFX250 device as a root user:
root@jdm# root-login deny
To allow users to log in to the NFX250 device as a root user through an authentication method (for example, RSA authentication) that does not require a password:
root@jdm# root-login deny-password