Configure User Accounts in a Configuration Group
To make it easier to configure the same user accounts on multiple devices, configure the
accounts inside of a configuration group. The examples shown here are in a configuration
group called global
. Using a configuration group for your user accounts
is optional.
To create a user account:
- Add a new user, using the user’s assigned account login name.
[edit groups global] user@host# edit system login user username
- (Optional) Configure a descriptive name for the account.
If the name includes spaces, enclose the entire name in quotation marks.
[edit groups global system login user user-name] user@host# set full-name complete-name
For example:
user@host# show groups global { system { login { user admin { full-name "general administrator"; } } } }
- (Optional) Set the user identifier (UID) for the account.
As with UNIX systems, the UID enforces user permissions and file access. If you do not set the UID, the software assigns one for you. The format of the UID is a number between 100 and 64,000.
[edit groups global system login user user-name] user@host# set uid uid-value
For example:
user@host# show groups global { system { login { user admin { uid 9999; } } } }
- Assign the user to a login class.
You can define your own login classes or assign one of the predefined login classes.
The predefined login classes are as follows:
-
super-user—all permissions
-
operator—clear, network, reset, trace, and view permissions
-
read-only—view permissions
-
unauthorized—no permissions
[edit groups global system login user user-name] user@host# set class class-name
For example:
user@host# show groups global { system { login { user admin { class super-user; } } } }
-
- Use one of the following methods to configure the user password:
-
To enter a clear-text password that the system encrypts for you, use the following command to set the user password:
[edit groups global system login user user-name] user@host# set authentication plain-text-password
New Password: type password here
Retype new password: retype password here
As you enter the password in plain text, the software encrypts it. You do not need to configure the software to encrypt the password. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration.
-
To enter a password that is encrypted, use the following command to set the user password:
CAUTION:Do not use the
encrypted-password
option unless the password is already encrypted and you are entering the encrypted version of the password.If you accidentally configure the
encrypted-password
option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as this user.[edit groups global system login user user-name] user@host# set authentication encrypted-password "password"
-
To load previously generated public keys from a named file at a specified URL location, use the following command:
[edit groups global system login user user-name] user@host# set authentication load-key-file URL filename
-
To enter an SSH public string, use the following command:
[edit groups global system login user user-name] user@host# set authentication (ssh-ecdsa | ssh-ed25519 | ssh-rsa) authorized-key
-
- At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit] user@host# set apply-groups global
- Commit the configuration.
user@host# commit
- To verify the configuration, log out and log back in as the new user.