Configure User Accounts

User accounts provide one way for users to access the router. (Users can access the router without accounts if you configured RADIUS or TACACS+ servers, as described in User Authentication.) For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.

To create user accounts, include the user statement at the [edit system login] hierarchy level:

[edit system]

login {

    user user-name {

        full-name complete-name; 

        uid uid-value; 

        class class-name; 

        authentication {

            (encrypted-password "password" | plain-text-password);

            ssh-rsa "public-key";

            ssh-dsa "public-key";

        }

    }

}

For each user account, you can define the following:

• User name—(Optional) Name that identifies the user. It must be unique within the router. Do not include spaces, colons, or commas in the user name.
• User's full name—(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.
• User identifier (UID)—(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range 100 through 64000 and must be unique within the router. If you do not assign a UID to a user name, the software assigns one when you commit the configuration, preferring the lowest available number.

You must ensure that the UID is unique. However, it is possible to assign the same UID to different users. If you do this, the CLI displays a warning when you commit the configuration, then assigns the duplicate UID.

• User's access privilege—(Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy level or one of the default classes listed in Table 11, "Default System Login Classes" .
• Authentication method or methods and passwords that the user can use to access the router—(Optional) You can use ssh or an MD5 password, or you can enter a plain-text password that the JUNOS software encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user's password. If you configure the plain-text-password option, you are prompted to enter and confirm the password:

[edit system]

user@host# set root-authentication plain-text-password

New password: type password here

Retype new password: retype password here

For ssh authentication, you can copy the contents of an ssh keys file into the configuration. For information about how to specify filenames, see How to Specify Filenames and URLs.

To load an ssh key file, use the load-key-file command. This command loads RSA (ssh version 1) and DSA (ssh version 2) public keys. You can also configure a user to use ssh-rsa and ssh-dsa keys.

If you load the ssh keys file, the contents of the file are copied into the configuration immediately after you enter the load-key-file statement. To view the ssh keys entries, use the configuration mode show command. For example:

[edit system]

user@host# set root-authentication load-key-file my-host:.ssh/identity.pub 

.file.19692               |          0 KB |   0.3 kB/s | ETA: 00:00:00 | 100%

[edit system]

user@host# show

root-authentication {

ssh-rsa "1024 35 97276382040842510554682267572498642416303222074049625
2839038203869014158453496417001961060835872296156347578491827360336
1276441874265946893207739108344810126831259577226254616679992783161
2350043866091586628382248974673260566119218148953981396556156378621
194032768780653816960202749164163735913269396344008443 
boojum@juniper.net"; # SECRET-DATA

}

An account for the user root is always present in the configuration. You configure the password for root using the root-authentication statement, as described in Configure the Root Password.

Example: Configure User Accounts

Create accounts for four router users, and create an account for the template user "remote." All users use one of the default system login classes.

[edit]

system {

    login {

        user philip {

            full-name "Philip of Macedonia"; 

            uid 1001; 

            class superuser; 

            authentication {

                encrypted-password "$1$poPPeY"; 

            }

        }

        user alexander {

            full-name "Alexander the Great";

            uid 1002;

            class view;

            authentication {

                encrypted-password "$1$14c5.$sBopasdFFdssdfFFdsdfs0";

                ssh-dsa "8924 37 5678 5678@gaugamela.per";

            }

        }

        user darius {

            full-name "Darius King of Persia";

            uid 1003;

            class operator;

            authentication {

                ssh-rsa "1024 37 12341234@ecbatana.per";

            }

        }

        user anonymous {

            class unauthorized;

        }

        user remote {

            full-name "All remote users";

            uid 9999;

            class read-only;

        }

    }

}