Junos OS User Accounts

 

Junos OS allows you to create accounts for router, switch, and security users. All users also belong one the system login classes.

Junos OS requires that all users have a predefined user account before they can log in to the device. For each user account, you define the login name for the user and, optionally, information that identifies the user. User accounts provide a way for users to access a router or switch or security device. Read this topic for more information.

Junos OS User Accounts Overview

User accounts provide one way for users to access the device. (Users can access the device without accounts if you configured RADIUS or TACACS+ servers, as described in Junos OS User Authentication Methods.) For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.

For each user account, you can define the following:

  • Username—Name that identifies the user. It must be unique within the device. Do not include spaces, colons, or commas in the username. The username can be up to 64 characters long.

  • User’s full name—(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.

  • User identifier (UID)—(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range from 100 through 64,000 and must be unique within the device. If you do not assign a UID to a username, the software assigns one when you commit the configuration, preferring the lowest available number.

You must ensure that the UID is unique. However, it is possible to assign the same UID to different users. If you do this, the CLI displays a warning when you commit the configuration and then assigns the duplicate UID.

  • User’s access privilege—(Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy level, or one of the default classes listed in Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

  • Authentication method or methods and passwords that the user can use to access the device—(Optional) You can use SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the Junos OS encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the plain-text-password option, you are prompted to enter and confirm the password:

    The default requirements for plain-text passwords are:

    • The password must be between 6 and 128 characters long.

    • You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.

    • Valid passwords must contain at least one change of case or character class.

    Junos-FIPS and Common Criteria have special password requirements. FIPS and Common Criteria passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the device, you cannot configure passwords unless they meet this standard.

For SSH authentication, you can copy the contents of an SSH key file into the configuration or directly configure SSH key information. Use the load-key-file URL filename command to load an SSH key file that was previously generated, e.g. by using ssh-keygen. The URL filename is the path to the file’s location and name. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys. The contents of the SSH key file are copied into the configuration immediately after you enter the load-key-file statement. Optionally, you can use the ssh-dsa public key <from hostname> and the ssh-rsa public key <from hostname> statements to directly configure SSH keys.

Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

For each user account and for root logins, you can configure more than one public RSA or DSA key for user authentication. When a user logs in using a user account or as root, the configured public keys are referenced to determine whether the private key matches any of them.

To view the SSH keys entries, use the configuration mode show command. For example:

An account for the user root is always present in the configuration. You configure the password for root using the root-authentication statement, as described in Configuring the Root Password.

Junos-FIPS Crypto Officer and User Accounts Overview

Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range of capabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance). Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-related commands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, no user besides a Crypto Officer can perform FIPS-related tasks.

Crypto Officer User Configuration

Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2 conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is a Crypto Officer. In most cases, the super-user class should be reserved for a Crypto Officer. A FIPS User can be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.

FIPS User Configuration

A Crypto Officer sets up FIPS Users. FIPS Users can be granted permissions normally reserved for a Crypto Officer; for example, permission to zeroize the system and individual AS-II FIPS PICs.

Example: Configuring User Accounts

The following example shows how to create accounts for four router or switch users, and create an account for the template user remote. All users use one of the default system login classes. User alexander also has two digital signal algorithm (DSA) public keys configured for SSH authentication.

Example: Configuring New Users

This example shows how to configure new users.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

You can add new users to the device’s local database. For each account, you define a login name and password for the user and specify a login class for access privileges. The login password must meet the following criteria:

  • The password must be at least six characters long.

  • You can include most character classes in a password (alphabetic, numeric, and special characters), but not control characters.

  • The password must contain at least one change of case or character class.

In this example, you create a login class named operator-and-boot and allow it to reboot the device. You can define any number of login classes. You then allow the operator-and-boot login class to use commands defined in the clear, network, reset, trace, and view permission bits.

Then you create user accounts. User accounts enable you to access the device. (You can access the device without accounts if you configured RADIUS or TACACS+ servers.) You set the username as cmartin and the login class as superuser. Finally, you define the encrypted password for the user.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Step-by-Step Procedure

To configure new users:

  1. In the J-Web user interface, select Configure>System Properties>User Management.
  2. Click Edit. The Edit User Management dialog box appears.
  3. Select the Users tab.
  4. Click Add to add a new user. The Add User dialog box appears.
  5. In the User name box, type a unique name for the user.

    Do not include spaces, colons, or commas in the username.

  6. In the User ID box, type a unique ID for the user.
  7. In the Full Name box, type the user’s full name.

    If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.

  8. In the Password and Confirm Password boxes, enter a login password for the user and verify your entry.
  9. From the Login Class list, select the user’s access privilege:
    • operator

    • read-only

    • unauthorized

    This list also includes any user-defined login classes.

  10. Click OK in the Add User dialog box and Edit User Management dialog box.
  11. Click OK to check your configuration and save it as a candidate configuration.
  12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure new users:

  1. Set the name of the login class and allow the use of the reboot command.
  2. Set the permission bits for the login class.
  3. Set the username, login class, and encrypted password for the user.

Results

From configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

The following example shows how to create accounts for four router or switch users, and create an account for the template user remote. All users use one of the default system login classes. User alexander also has two digital signal algorithm (DSA) public keys configured for SSH authentication.

The following example shows how to create accounts for four router or switch users, and create an account for the template user remote. All users use one of the default system login classes. User alexander also has two digital signal algorithm (DSA) public keys configured for SSH authentication.

The following example shows how to create accounts for four router or switch users, and create an account for the template user remote. All users use one of the default system login classes. User alexander also has two digital signal algorithm (DSA) public keys configured for SSH authentication.

If you are done configuring the device, enter commit from configuration mode.

Note

To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and specify a user template account. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verifying the New Users Configuration

Purpose

Verify that the new users have been configured.

Action

From operational mode, enter the show system login command.

Configuring Junos OS User Accounts by Using a Configuration Group

User accounts provide a way for users to access a router or switch. Junos OS requires that all users have a predefined user account before they can log in to the device. For each user account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.

It is a common practice to use remote authentication servers to centrally store information about users. Even so, it is also a good practice to configure at least one nonroot user directly on each device, in case access to the remote authentication server is disrupted. This one nonroot user commonly has a generic name, such as admin.

Because user accounts are configured on multiple devices, they are commonly configured inside of a configuration group. As such, the examples shown here are in a configuration group called global. Using a configuration group for your user accounts is optional.

To create a user account:

  1. Add a new user, using the user’s assigned account login name.
  2. (Optional) Configure a full descriptive name for the account.

    If the full name includes spaces, enclose the entire name in quotation marks.

    For example:

  3. (Optional) Set the user identifier (UID) for the account.

    As with UNIX systems, the UID enforces user permissions and file access. If you do not set the UID, Junos OS assigns one for you. The format of the UID is a number in the range of 100 to 64000.

    For example:

  4. Assign the user to a login class.

    You can define your own login classes or assign one of the predefined Junos OS login classes.

    The predefined login classes are as follows:

    • super-user—all permissions

    • operator—clear, network, reset, trace, and view permissions

    • read-only— view permissions

    • unauthorized—no permissions

    For example:

  5. Use one of the following methods to configure the user password.

    • To enter a clear-text password that the system encrypts for you, use the following command to set the user password:

      As you enter the password in plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to encrypt the password as in some other systems. Plain-text passwords are therefore hidden and marked as ## SECRET-DATA in the configuration.

    • To enter a password that is already encrypted, use the following command to set the user password:

      Caution

      Do not use the encrypted-password option unless the password is already encrypted, and you are entering the encrypted version of the password.

      If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as this user.

    • To load previously generated public keys from a named file at a specified URL location, use the following command to set the user password:

    • To enter an ssh public string, use the following command to set the user password:

  6. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  7. Commit the configuration.
  8. To verify the configuration, log out and log back in as the new user.
Release History Table
Release
Description
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.