User Accounts
Junos OS Evolved enables you (the system administrator) to create accounts for router, switch, and security users. All users belong to one of the system login classes.
You create user accounts so that users can access a router, switch, or security device. All users must have a predefined user account before they can log in to the device. You create user accounts and then define the login name and identifying information for each user account.
User Accounts Overview
User accounts provide one way for users to access a device. For each account, you define the user's login name, password, and any additional user information. After you have created an account, the software creates a home directory for the user.
An account for the user root
is always present in the configuration. You
can configure the password for root
using the
root-authentication
statement.
While it is common to use remote authentication servers to centrally store information
about users, it is also good practice to configure at least one non-root user on each
device. This way, you can still access the device if its connection to the remote
authentication server is disrupted. This non-root user usually has a generic name such
as admin
.
For each user account, you can define the following:
-
Username (Required): Name that identifies the user. It must be unique. Avoid using spaces, colons, or commas in the username. The username can include up to 32 characters.
-
User’s full name: (Optional) If the full name contains spaces, enclose it in quotation marks. Avoid the use of colons or commas.
-
User identifier (UID): (Optional) Numeric identifier that is associated with the user account name. The UID is assigned automatically when you commit the configuration, so you do not need to set it manually. However, if you choose to configure the UID manually, use a unique value in the range from 100 through 64,000.
-
User’s access privilege: (Required) One of the login classes you defined in the
class
statement at the[edit system login]
hierarchy or one of the default login classes. -
Authentication method or methods and passwords for device access (Required): You can use a SSH key, a Message Digest 5 (MD5) password, or a plain-text password that Junos OS Evolved encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the
plain-text-password
option, you receive a prompt to enter and confirm the password:[edit system login user username] user@host# set authentication plain-text-password New password: type password here Retype new password: retype password here
To create valid plain-text passwords, make sure that they:
-
Contain between 6 and 128 characters.
-
Include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters) but do not include control characters.
-
Contain at least one change of case or character class.
-
For SSH authentication, you can copy the contents of an SSH key file into the
configuration. You can also configure SSH key information directly. Use the
load-key-file
statement to load an SSH key file that was generated
previously, (for example, by using ssh-keygen
). The
load-key-file
argument is the path to the file location and name.
The load-key-file
statement loads RSA (SSH version 1 and SSH version
2) public keys. The contents of the SSH key file are
copied into the configuration immediately after you configure the
load-key-file
statement.
Avoid using the following Transport Layer Security (TLS) version and cipher suite (RSA host key) combinations, which will fail:
With RSA host keys:
-
TLS_1.0@DHE-RSA-AES128-SHA
-
TLS_1.0@DHE-RSA-AES256-SHA
For each user account and for root logins, you can configure more than one public RSA key for user authentication. When a user logs in using a user account or as root, the configured public keys are referenced to determine whether the private key matches any of the user accounts.
To view the SSH key entries, use the configuration mode show
command.
For example:
[edit system login user boojum] user@host# set authentication load-key-file my-host:.ssh/id_rsa.pub .file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100% [edit system login user boojum] user@host# show authentication { ssh-rsa "$ABC123"; # SECRET-DATA }
Example: Configure New User Accounts
This example shows how to configure new user accounts.
Requirements
You do not need any special configurations before using this feature.
Overview
You can add new user accounts to the device’s local database. For each account, you (the system administrator) define a login name and password for the user and specify a login class for access privileges. The login password must meet the following criteria:
-
The password must be at least six characters long.
-
You can include most character classes in the password (alphabetic, numeric, and special characters), but not control characters.
-
The password must contain at least one change of case or character class.
In this example, you create a login class named operator-and-boot and allow it to reboot the device. You can define any number of login classes. Then, allow the operator-and-boot login class to use commands defined in the following bits:
-
clear
-
network
-
reset
-
trace
-
view permission
Next, create user accounts to enable access to the device. Set the username as randomuser and the login class as superuser. Finally, define the encrypted password for the user.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them
into a text file, remove any line breaks, change any details necessary to
match your network configuration, copy and paste the commands into the CLI
at the [edit]
hierarchy level, and then enter
commit
in configuration mode.
set system login class operator-and-boot allow-commands "request system reboot" set system login class operator-and-boot permissions [clear network reset trace view] set system login user randomuser class superuser authentication encrypted-password $1$ABC123
Step-by-Step Procedure
To configure new users:
-
Set the name of the login class and allow the use of the reboot command.
[edit system login] user@host# set class operator-and-boot allow-commands “request system reboot”
-
Set the permission bits for the login class.
[edit system login] user@host# set class operator-and-boot permissions [clear network reset trace view]
-
Set the username, login class, and encrypted password for the user.
[edit system login] user@host# set userrandomuser class superuser authentication encrypted-password $1$ABC123
Results
In configuration mode, confirm your configuration by entering the
show system login
command. If the output does not
display the intended configuration, repeat the configuration instructions in
this example to correct it.
[edit] user@host# show system login class operator-and-boot { permissions [ clear network reset trace view ]; allow-commands "request system reboot"; } user randomuser { class superuser; authentication { encrypted-password "$1$ABC123"; } }
The following example shows how to create accounts for four users. It also
shows how to create an account for the template user
remote
. All users use one of the default system login
classes.
[edit] system { login { user philip { full-name “Philip of Macedonia”; uid 1001; class super-user; authentication { encrypted-password “$ABC123”; } } user alexander { full-name “Alexander the Great”; uid 1002; class operator; authentication { encrypted-password “$ABC123”; } } user darius { full-name “Darius King of Persia”; uid 1003; class operator; authentication { ssh-rsa “1024 37 12341234@ecbatana.per”; } } user anonymous { class unauthorized; } user remote { full-name “All remote users”; uid 9999; class read-only; } } }
After you configure the device, enter commit
in
configuration mode.
Configure User Accounts in a Configuration Group
To make it easier to configure the same user accounts on multiple devices, configure the
accounts inside of a configuration group. The examples shown here are in a configuration
group called global
. Using a configuration group for your user accounts
is optional.
To create a user account: