Two user roles have been defined:
viewerfor use in operational mode where the configuration cannot be changed, only commands to troubleshoot or monitor are available. All users have this role by default.
adminfor use in configuration mode, with full access.
Two default users are created when booting the system for the first time:
viewer. Their default passwords are
admin account has the
admin role, which means that it has permissions
to edit the configuration and run privileged commands.
viewer acccount has the
viewer role, which means that it has
permissions to view the configuration but not to edit it and run standard
For obvious security reasons, you MUST change the passwords of these users.
You may even want to completely disable the default
users, by setting
vrouter running config# system auth default-users-enabled false vrouter running config# commit Configuration applied.
In this case, you must configure a user with the
admin role, else you will
lose access to the CLI.
To change the
admin user password, go in the
system auth user admin context:
vrouter running config# system auth user admin vrouter running user admin# password Enter value for password> ********** vrouter running user admin# commit Configuration applied.
For security reasons, the password is not stored in clear-text in the configuration. A hash is stored instead.
vrouter running user admin# show config user admin password $5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/
It is also possible to directly set the password as a hashed value. To
generate a hashed password on a Linux machine, use
mkpasswd, which is
provided in the
root@host:~# mkpasswd -m SHA-256 Password: ********** $5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/
To create a new user, go into the
config system auth context, and add a
new user with the following commands:
vrouter running user admin# .. vrouter running auth# user john vrouter running user john# role admin vrouter running user john# password Enter value for password> ********** vrouter running user john# commit Configuration applied.
Let’s display what has been sent to the NETCONF server:
vrouter running user john# show config xml absolute <config xmlns="urn:6wind:vrouter"> <system xmlns="urn:6wind:vrouter/system"> <auth xmlns="urn:6wind:vrouter/system/auth"> <user> <name>john</name> <role>admin</role> <password>$5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9</password> </user> </auth> </system> </config>
Now that the configuration is applied, let’s see the state of our user:
vrouter running user john# show state user john password $5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9 role admin ..
john has the
admin role. This means he can edit the configuration,
read protected nodes (such as passwords) and run privileged commands.