<?xml version="1.0"?> <interfaceDefinition> <node name="system"> <children> <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py"> <properties> <help>System User Login Configuration</help> <priority>400</priority> </properties> <children> <tagNode name="user"> <properties> <help>Local user account information</help> <constraint> #include <include/constraint/login-username.xml.i> </constraint> <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage> </properties> <children> <node name="authentication"> <properties> <help>Authentication settings</help> </properties> <children> <leafNode name="encrypted-password"> <properties> <help>Encrypted password</help> <constraint> <regex>(\*|\!)</regex> <regex>[a-zA-Z0-9\.\/]{13}</regex> <regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex> <regex>\$5\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex> <regex>\$6\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex> </constraint> <constraintErrorMessage>Invalid encrypted password for $VAR(../../@).</constraintErrorMessage> </properties> <defaultValue>!</defaultValue> </leafNode> <node name="otp"> <properties> <help>One-Time-Pad (two-factor) authentication parameters</help> </properties> <children> <leafNode name="rate-limit"> <properties> <help>Limit number of logins (rate-limit) per rate-time</help> <valueHelp> <format>u32:1-10</format> <description>Number of attempts</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-10"/> </constraint> <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage> </properties> <defaultValue>3</defaultValue> </leafNode> <leafNode name="rate-time"> <properties> <help>Limit number of logins (rate-limit) per rate-time</help> <valueHelp> <format>u32:15-600</format> <description>Time interval</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 15-600"/> </constraint> <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage> </properties> <defaultValue>30</defaultValue> </leafNode> <leafNode name="window-size"> <properties> <help>Set window of concurrently valid codes</help> <valueHelp> <format>u32:1-21</format> <description>Window size</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21"/> </constraint> <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage> </properties> <defaultValue>3</defaultValue> </leafNode> <leafNode name="key"> <properties> <help>Key/secret the token algorithm (see RFC4226)</help> <valueHelp> <format>txt</format> <description>Base32 encoded key/token</description> </valueHelp> <constraint> <regex>[a-zA-Z2-7]{26,10000}</regex> </constraint> <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage> </properties> </leafNode> </children> </node> <leafNode name="plaintext-password"> <properties> <help>Plaintext password used for encryption</help> </properties> </leafNode> <tagNode name="public-keys"> <properties> <help>Remote access public keys</help> <valueHelp> <format>txt</format> <description>Key identifier used by ssh-keygen (usually of form user@host)</description> </valueHelp> </properties> <children> <leafNode name="key"> <properties> <help>Public key value (Base64 encoded)</help> <constraint> <validator name="base64"/> </constraint> </properties> </leafNode> <leafNode name="options"> <properties> <help>Optional public key options</help> </properties> </leafNode> <leafNode name="type"> <properties> <help>SSH public key type</help> <completionHelp> <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list> </completionHelp> <valueHelp> <format>ssh-dss</format> <description>Digital Signature Algorithm (DSA) key support</description> </valueHelp> <valueHelp> <format>ssh-rsa</format> <description>Key pair based on RSA algorithm</description> </valueHelp> <valueHelp> <format>ecdsa-sha2-nistp256</format> <description>Elliptic Curve DSA with NIST P-256 curve</description> </valueHelp> <valueHelp> <format>ecdsa-sha2-nistp384</format> <description>Elliptic Curve DSA with NIST P-384 curve</description> </valueHelp> <valueHelp> <format>ecdsa-sha2-nistp521</format> <description>Elliptic Curve DSA with NIST P-521 curve</description> </valueHelp> <valueHelp> <format>ssh-ed25519</format> <description>Edwards-curve DSA with elliptic curve 25519</description> </valueHelp> <valueHelp> <format>sk-ecdsa-sha2-nistp256@openssh.com</format> <description>Elliptic Curve DSA security key</description> </valueHelp> <valueHelp> <format>sk-ssh-ed25519@openssh.com</format> <description>Elliptic curve 25519 security key</description> </valueHelp> <constraint> <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex> </constraint> </properties> </leafNode> </children> </tagNode> </children> </node> #include <include/generic-disable-node.xml.i> <leafNode name="full-name"> <properties> <help>Full name of the user (use quotes for names with spaces)</help> <constraint> <regex>[^:]*</regex> </constraint> <constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage> </properties> </leafNode> <leafNode name="home-directory"> <properties> <help>Home directory</help> <valueHelp> <format>txt</format> <description>Path to home directory</description> </valueHelp> <constraint> <regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex> </constraint> </properties> </leafNode> </children> </tagNode> #include <include/radius-server-ipv4-ipv6.xml.i> <node name="radius"> <children> <tagNode name="server"> <children> #include <include/radius-timeout.xml.i> <leafNode name="priority"> <properties> <help>Server priority</help> <valueHelp> <format>u32:1-255</format> <description>Server priority</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> </constraint> </properties> <defaultValue>255</defaultValue> </leafNode> </children> </tagNode> #include <include/interface/vrf.xml.i> </children> </node> <node name="tacacs"> <properties> <help>TACACS+ based user authentication</help> </properties> <children> <tagNode name="server"> <properties> <help>TACACS+ server configuration</help> <valueHelp> <format>ipv4</format> <description>TACACS+ server IPv4 address</description> </valueHelp> <constraint> <validator name="ipv4-address"/> </constraint> </properties> <children> #include <include/generic-disable-node.xml.i> #include <include/radius-server-key.xml.i> #include <include/port-number.xml.i> <leafNode name="port"> <defaultValue>49</defaultValue> </leafNode> </children> </tagNode> <leafNode name="security-mode"> <properties> <help>Security mode for TACACS+ authentication</help> <completionHelp> <list>mandatory optional</list> </completionHelp> <valueHelp> <format>mandatory</format> <description>Deny access immediately if TACACS+ answers with REJECT</description> </valueHelp> <valueHelp> <format>optional</format> <description>Pass to the next authentication method if TACACS+ answers with REJECT</description> </valueHelp> <constraint> <regex>(mandatory|optional)</regex> </constraint> </properties> <defaultValue>optional</defaultValue> </leafNode> #include <include/source-address-ipv4.xml.i> #include <include/radius-timeout.xml.i> #include <include/interface/vrf.xml.i> </children> </node> <leafNode name="max-login-session"> <properties> <help>Maximum number of all login sessions</help> <valueHelp> <format>u32:1-65536</format> <description>Maximum number of all login sessions</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65536"/> </constraint> <constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage> </properties> </leafNode> <leafNode name="timeout"> <properties> <help>Session timeout</help> <valueHelp> <format>u32:5-604800</format> <description>Session timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 5-604800"/> </constraint> <constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage> </properties> </leafNode> </children> </node> </children> </node> </interfaceDefinition>