Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

User Accounts

Junos OS enables you (the system administrator) to create accounts for router, switch, and security users. All users belong to one of the system login classes.

You create user accounts so that users can access a router, switch, or security device. All users must have a predefined user account before they can log in to the device. You create user accounts and then define the login name and identifying information for each user account.

User Accounts Overview

User accounts provide one way for users to access a device. For each account, you define the user's login name, password, and any additional user information. After you have created an account, the software creates a home directory for the user.

An account for the user root is always present in the configuration. You can configure the password for root using the root-authentication statement.

While it is common to use remote authentication servers to centrally store information about users, it is also good practice to configure at least one non-root user on each device. This way, you can still access the device if its connection to the remote authentication server is disrupted. This non-root user usually has a generic name such as admin.

For each user account, you can define the following:

  • Username (Required): Name that identifies the user. It must be unique. Avoid using spaces, colons, or commas in the username. The username can include up to 64 characters.

  • User’s full name: (Optional) If the full name contains spaces, enclose it in quotation marks. Avoid the use of colons or commas.

  • User identifier (UID): (Optional) Numeric identifier that is associated with the user account name. The UID is assigned automatically when you commit the configuration, so you do not need to set it manually. However, if you choose to configure the UID manually, use a unique value in the range from 100 through 64,000.

  • User’s access privilege: (Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy or one of the default login classes.

  • Authentication method or methods and passwords for device access (Required): You can use a SSH key, a Message Digest 5 (MD5) password, or a plain-text password that Junos OS encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the plain-text-password option, you receive a prompt to enter and confirm the password:

    To create valid plain-text passwords, make sure that they:

    • Contain between 6 and 128 characters.

    • Include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters) but do not include control characters.

    • Contain at least one change of case or character class.

    Junos-FIPS and Common Criteria have the following special password requirements. They must:

    • Be between 10 and 20 characters long.
    • Use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters).

    If Junos-FIPS is installed on the device, you must adhere to the special password requirements, or the passwords are not configured.

For SSH authentication, you can copy the contents of an SSH key file into the configuration. You can also configure SSH key information directly. Use the load-key-file statement to load an SSH key file that was generated previously, (for example, by using ssh-keygen). The load-key-file argument is the path to the file location and name. The load-key-file statement loads RSA (SSH version 1 and SSH version 2) public keys. The contents of the SSH key file are copied into the configuration immediately after you configure the load-key-file statement.

Avoid using the following Transport Layer Security (TLS) version and cipher suite (RSA host key) combinations, which will fail:

With RSA host keys:

  • TLS_1.0@DHE-RSA-AES128-SHA

  • TLS_1.0@DHE-RSA-AES256-SHA

For each user account and for root logins, you can configure more than one public RSA key for user authentication. When a user logs in using a user account or as root, the configured public keys are referenced to determine whether the private key matches any of the user accounts.

To view the SSH key entries, use the configuration mode show command. For example:

Junos-FIPS Crypto Officer and User Accounts Overview

Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range of capabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance). Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-related commands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, only a Crypto Officer can perform FIPS-related tasks.

Crypto Officer User Configuration

Junos-FIPS offers you finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2 conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is a Crypto Officer. In most cases, you should reserve the super-user class for a Crypto Officer. A FIPS User can be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.

FIPS User Configuration

A Crypto Officer sets up FIPS Users. FIPS Users certain permissions normally reserved for a Crypto Officer; for example, you can grant a FIPS User permission to zeroize the system and individual AS-II FIPS PICs.

Example: Configure New User Accounts

This example shows how to configure new user accounts.

Requirements

You do not need any special configurations before using this feature.

Overview

You can add new user accounts to the device’s local database. For each account, you (the system administrator) define a login name and password for the user and specify a login class for access privileges. The login password must meet the following criteria:

  • The password must be at least six characters long.

  • You can include most character classes in the password (alphabetic, numeric, and special characters), but not control characters.

  • The password must contain at least one change of case or character class.

In this example, you create a login class named operator-and-boot and allow it to reboot the device. You can define any number of login classes. Then, allow the operator-and-boot login class to use commands defined in the following bits:

  • clear

  • network

  • reset

  • trace

  • view permission

Next, create user accounts to enable access to the device. Set the username as randomuser and the login class as superuser. Finally, define the encrypted password for the user.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit in configuration mode.

Step-by-Step Procedure

To configure new users:

  1. Set the name of the login class and allow the use of the reboot command.

  2. Set the permission bits for the login class.

  3. Set the username, login class, and encrypted password for the user.

GUI Quick Configuration
Step-by-Step Procedure

To configure new users:

  1. In the J-Web user interface, select Configure>System Properties>User Management.

  2. Click Edit. The Edit User Management dialog box appears.

  3. Select the Users tab.

  4. Click Add to add a new user. The Add User dialog box appears.

  5. In the User name box, type a unique name for the user.

    Avoid spaces, colons, and commas in the username.

  6. In the User ID box, type a unique ID for the user.

  7. In the Full Name box, type the user’s full name.

    If the full name contains spaces, enclose it in quotation marks. Avoid colons and commas.

  8. In the Password and Confirm Password boxes, enter a login password for the user and verify your entry.

  9. From the Login Class list, select the user’s access privilege:

    • operator

    • read-only

    • unauthorized

    This list also includes any user-defined login classes.

  10. Click OK in the Add User dialog box and Edit User Management dialog box.

  11. Click OK to check your configuration and save it as a candidate configuration.

  12. After you configure the device, click Commit Options>Commit.

Results

In configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

The following example shows how to create accounts for four users. It also shows how to create an account for the template user remote. All users use one of the default system login classes.

After you configure the device, enter commit in configuration mode.

Verification

Confirm that the configuration is working properly.

Verify the New Users Configuration

Purpose

Verify that the new users are configured.

Action

Log in to the device with the new user account or accounts and password to confirm that you have access.

Configure User Accounts in a Configuration Group

To make it easier to configure the same user accounts on multiple devices, configure the accounts inside of a configuration group. The examples shown here are in a configuration group called global. Using a configuration group for your user accounts is optional.

To create a user account:

  1. Add a new user, using the user’s assigned account login name.
  2. (Optional) Configure a descriptive name for the account.

    If the name includes spaces, enclose the entire name in quotation marks.

    For example:

  3. (Optional) Set the user identifier (UID) for the account.

    As with UNIX systems, the UID enforces user permissions and file access. If you do not set the UID, the software assigns one for you. The format of the UID is a number between 100 and 64,000.

    For example:

  4. Assign the user to a login class.

    You can define your own login classes or assign one of the predefined login classes.

    The predefined login classes are as follows:

    • super-user—all permissions

    • operator—clear, network, reset, trace, and view permissions

    • read-only—view permissions

    • unauthorized—no permissions

    For example:

  5. Use one of the following methods to configure the user password:
    • To enter a clear-text password that the system encrypts for you, use the following command to set the user password:

      As you enter the password in plain text, the software encrypts it. You do not need to configure the software to encrypt the password. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration.

    • To enter a password that is encrypted, use the following command to set the user password:

      CAUTION:

      Do not use the encrypted-password option unless the password is already encrypted and you are entering the encrypted version of the password.

      If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as this user.

    • To load previously generated public keys from a named file at a specified URL location, use the following command:

    • To enter an SSH public string, use the following command:

  6. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  7. Commit the configuration.
  8. To verify the configuration, log out and log back in as the new user.