[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring User Accounts

User accounts provide one way for users to access the router. (Users can access the router without accounts if you configured RADIUS or TACACS+ servers, as described in Configuring User Authentication.) For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.

To create user accounts, include the user statement at the [edit system login] hierarchy level:



[edit system login]

user username {

full-name complete-name;

uid uid-value; 

class class-name; 



authentication {
(encrypted-password "password" | plain-text-password);
ssh-rsa "public-key";
ssh-dsa "public-key";
}


}

For each user account, you can define the following:

Username—(Optional) Name that identifies the user. It must be unique within the router. Do not include spaces, colons, or commas in the username. The username can be up to 64 characters long.
User’s full name—(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.
User identifier (UID)—(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range from 100 through 64,000 and must be unique within the router. If you do not assign a UID to a username, the software assigns one when you commit the configuration, preferring the lowest available number.

You must ensure that the UID is unique. However, it is possible to assign the same UID to different users. If you do this, the CLI displays a warning when you commit the configuration and then assigns the duplicate UID.

User’s access privilege—(Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy level, or one of the default classes listed in Table 13.
Authentication method or methods and passwords that the user can use to access the router—(Optional) You can use SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the JUNOS software encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the plain-text-password option, you are prompted to enter and confirm the password: [edit system login user router-name] user@host# set authentication plain-text-password New password: type password here Retype new password: retype password here
The default requirements for plain-text passwords are:
- The password must be between 6 and 128 characters long
  - You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.
  - Valid passwords must contain at least one change of case or character class.

For each user account and for root logins, you can configure more than one public RSA or DSA key for user authentication. When a user logs in using a user account or as root, the configured public keys are referenced to determine whether the private key matches any of them. For an example of how to configure more than one public key for SSH authentication for a user account, see Example: Configuring User Accounts. For more information about how to configure root authentication, see Configuring the Root Password.

For SSH authentication, you can also copy the contents of an SSH keys file into the configuration. For information about how to specify filenames, see Specifying Filenames and URLs.

To load an SSH key file, use the load-key-file command. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.

If you load the SSH keys file, the contents of the file are copied into the configuration immediately after you enter the load-key-file statement. To view the SSH keys entries, use the configuration mode show command. For example:



[edit system login user boojum]
user@host# set authentication load-key-file
my-host:.ssh/identity.pub

.file.19692               |          0 KB |   0.3 kB/s
| ETA: 00:00:00 | 100%
[edit system]
user@host# show

root-authentication {
ssh-rsa "1024 35 9727638204084251055468226757249864241630322
207404962528390382038690141584534964170019610608358722961563
475784918273603361276441874265946893207739108344813125957722
625461667999278316123500438660915866283822489746732605661192
181489539813862940327687806538169602027491641637359132693963
44008443 boojum@juniper.net"; # SECRET-DATA
}

An account for the user root is always present in the configuration. You configure the password for root using the root-authentication statement, as described in Configuring the Root Password.

JUNOS-FIPS and Common Criteria have special password requirements. FIPS and Common Criteria passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If JUNOS-FIPS is installed on the router, you cannot configure passwords unless they meet this standard. For more information, see the Secure Configuration Guide for Common Criteria and JUNOS-FIPS.

Example: Configuring User Accounts

Create accounts for four router users, and create an account for the template user “remote.” All users use one of the default system login classes. User alexander also has two DSA public keys configured for SSH authentication.



[edit]
system {


login {


user philip {
full-name “Philip of Macedonia”; 
uid 1001; 
class super-user; 


authentication {
encrypted-password “$1$poPPeY”; 
}


}




user alexander {
full-name “Alexander the Great”;
uid 1002;
class view;


authentication {
encrypted-password “$1$14c5.$sBopasdFFdssdfFFdsdfs0”;
ssh-dsa “8924 37 5678 5678@gaugamela.per”;
ssh-dsa “6273 94 9283@boojum.per”;
}


}




user darius {
full-name “Darius King of Persia”;
uid 1003;
class operator;


authentication {
ssh-rsa “1024 37 12341234@ecbatana.per”;
}


}




user anonymous {
class unauthorized;
}




user remote {
full-name “All remote users”;
uid 9999;
class read-only;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]