Users¶
Overview¶
Two user roles are available:
viewer
for use in operational mode where the configuration cannot be changed, only commands to troubleshoot or monitor are available.This is the default role for new users.
admin
for use in configuration mode, with full access.
Three user accounts are provided by default:
Account |
Default password |
Description |
---|---|---|
|
|
The standard account for configuration.
It has the |
|
|
A restricted account for monitoring purposes.
It has the |
|
|
Provides the ability to log into the Linux subsystem as superuser. Note that, unless documented otherwise, this account must not be used to configure the system, as it would conflict with the CLI. |
Warning
For security reasons, it is recommended to change the default passwords of preconfigured users. See Changing Passwords.
Two default users are created when booting the system for the first time:
admin
and viewer
. Their default passwords are admin
and viewer
,
respectively.
The admin
account has the admin
role, which means that it has permissions
to edit the configuration and run privileged commands.
The viewer
acccount has the viewer
role, which means that it has
permissions to view the configuration but not to edit it and run standard
commands.
Warning
For obvious security reasons, you MUST change the passwords of these users.
You may even want to completely disable the default admin
and viewer
users, by setting default-users-enabled
to false
:
vrouter running config# system auth default-users-enabled false
vrouter running config# commit
Configuration applied.
In this case, you must configure a user with the admin
role, else you will
lose access to the CLI.
Changing Passwords¶
CLI users¶
To change the admin
user password, go in the system auth user admin
context:
vrouter running config# system auth user admin
vrouter running user admin# password
Enter value for password> **********
vrouter running user admin# commit
Configuration applied.
For security reasons, the password is not stored in clear-text in the configuration. A hash is stored instead.
vrouter running user admin# show config
user admin
password $5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/
It is also possible to directly set the password as a hashed value. To
generate a hashed password on a Linux machine, use mkpasswd
, which is
provided in the whois
package:
root@host:~# mkpasswd -m SHA-256
Password: **********
$5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/
root
user¶
Changing the password for the root
user is done through the Linux shell:
root@vrouter:~# passwd
Enter new UNIX password: ********
Retype new UNIX password: ********
passwd: password updated successfully
Creating Users¶
To create a new user, go into the config system auth
context, and add a
new user with the following commands:
vrouter running user admin# ..
vrouter running auth# user john
vrouter running user john# role admin
vrouter running user john# password
Enter value for password> **********
vrouter running user john# commit
Configuration applied.
Let’s display what has been sent to the NETCONF server:
vrouter running user john# show config xml absolute
<config xmlns="urn:6wind:vrouter">
<system xmlns="urn:6wind:vrouter/system">
<auth xmlns="urn:6wind:vrouter/system/auth">
<user>
<name>john</name>
<role>admin</role>
<password>$5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9</password>
</user>
</auth>
</system>
</config>
Now that the configuration is applied, let’s see the state of our user:
vrouter running user john# show state
user john
password $5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9
role admin
..
The user john
has the admin
role. This means he can edit the configuration,
read protected nodes (such as passwords) and run privileged commands.
Configuring SSH Authorized Keys¶
SSH authentication can be used to login to Turbo IPsec without a password.
This requires to configure one or more authorized-key
.
Generating a key pair¶
First, you need to generate a key pair on a remote machine.
user@my-laptop:~$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/user/.ssh/id_ecdsa.
Your public key has been saved in /home/user/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:UrMHdqPxmoeV8DNYRtL0Il5cWAFfzZn7PHy4j2enH5A robobuild@ubuntu1604es
The key's randomart image is:
+---[ECDSA 256]---+
| .o+++..oo|
| +o+ . oo|
| O O o .|
| + ^ + .. |
| . S O E.o.|
| . * o oo+|
| + . oo|
| . ..=|
| o*+|
+----[SHA256]-----+
Configuring an authorized-key
for CLI users¶
Copy the public key file contents into the configuration:
user@my-laptop:~$ cat ~/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop
vrouter running user john# authorized-key "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop"
vrouter running user john# commit
Configuration applied.
Warning
NEVER copy the private key contents. Only the PUBLIC key.
Configuring an authorized-key
for root
user¶
This is done from the Linux shell. Copy the public key file contents into the
/root/.ssh/authorized_keys
file:
user@my-laptop:~$ cat ~/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop
root@vrouter:~# cat >> /root/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop
<Ctrl+D>
root@vrouter:~# chmod 600 /root/.ssh/authorized_keys
Checking the connection¶
After which you may check that the remote authentication works without a password:
user@my-laptop:~$ ssh -i ~/.ssh/id_ecdsa john@vrouter
The authenticity of host 'vrouter (10.0.0.58)' can't be established.
ECDSA key fingerprint is SHA256:nNerPB16BKwHmcex5IVKS7YMVt4VuaVavH3LId7uI6Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vrouter,10.0.0.58' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/user/.ssh/id_ecdsa': ********
Welcome to Turbo IPsec - 2.2
vrouter>
Note
If you did set a passphrase on your private key, you will need to enter it.
See also
The command reference for details.