diff options
| author | Robert Göhler <github@ghlr.de> | 2021-01-24 22:14:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-24 22:14:00 +0100 |
| commit | c25c40dfa96dfeb022b203280c607c1f1835417b (patch) | |
| tree | ed05f81d48c65639e621ee3a067f435cb204ea9e /docs/system/login-users.rst | |
| parent | ce9f2016218f0c162bd48457a41a18db15e52749 (diff) | |
| download | vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.tar.gz vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.zip | |
Migrate new file structure to crux (#435)
* order workflows and add submodule
* rename gitmodules file
* delete docs/.gitignore
* add vyos custom linter
* correct __pycache__ in gitignore
* add test-coverage.py
* move draw.io folder
* arrange changelog, install history and about
* arrange: firewall
* arrange: highavailability
* arrange: loadbalancing
* arrange: nat
* arrange: services
* sort configexamples and configuration interfaces
* wireles: rename wireless
* rearrange: Protocols and Policy
* rearrange: Firewall and Zone Policy
* rearrange: Interfaces
* rearrange: Interfaces
* rearrange: dynamic DNS
* hostinfo: add page to index
* rearrange: appendix
* venv: add Pipfile
* rearrange: contributing
* index: remove debugging
* rearrange: fix all figure and refs
* rearrange: commandtree
* fix: cli, openvpn, install headline level
* protocols: change headline
* firewall: move mss clamping
* ip: separate ipv4 and ipv6
* arp: move to static page
* igmp: rename multicast page
* Update to year 2021
Diffstat (limited to 'docs/system/login-users.rst')
| -rw-r--r-- | docs/system/login-users.rst | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/docs/system/login-users.rst b/docs/system/login-users.rst deleted file mode 100644 index c34e41a0..00000000 --- a/docs/system/login-users.rst +++ /dev/null @@ -1,129 +0,0 @@ -.. _systemusers: - -Login ------ - -The default VyOS user account (`vyos`), as well as newly created user accounts, -have all capabilities to configure the system. All accounts have sudo capabilities -and therefore can operate as root on the system. Setting the level to admin is -optional, all accounts on the system will have admin privileges. - -Both local administered and remote administered RADIUS (Remote Authentication -Dial-In User Service) accounts are supported. - -Local -^^^^^ - -Create user account `jsmith` and the password `mypassword`. - -.. code-block:: none - - set system login user jsmith full-name "Johan Smith" - set system login user jsmith authentication plaintext-password mypassword - -The command: - -.. code-block:: none - - show system login - -will show the contents of :code:`system login` configuration node: - -.. code-block:: none - - user jsmith { - authentication { - encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. - plaintext-password "" - } - full-name "Johan Smith" - level admin - } - -SSH with Public Keys -******************** - -The following command will load the public key `dev.pub` for user `jsmith` - -.. code-block:: none - - loadkey jsmith dev.pub - -.. note:: This requires uploading the `dev.pub` public key to the VyOS router - first. As an alternative you can also load the SSH public key directly - from a remote system: - -.. code-block:: none - - loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub - -In addition SSH public keys can be fully added using the CLI. Each key can be -given a unique identifier, `calypso` is used oin the example below to id an SSH -key. - -.. code-block:: none - - set system login user jsmith authentication public-keys callisto key 'AAAAB3Hso...Q==' - set system login user jsmith authentication public-keys callisto type 'ssh-rsa' - -RADIUS -^^^^^^ - -VyOS supports using one or more RADIUS servers as backend for user authentication. - -The following command sets up two servers for RADIUS authentication, one with a -discrete timeout of `5` seconds and a discrete port of `1812` and the other using -a default timeout and port. - -.. code-block:: none - - set system login radius-server 192.168.1.2 secret 's3cr3t0815' - set system login radius-server 192.168.1.2 timeout '5' - set system login radius-server 192.168.1.2 port '1812' - set system login radius-server 192.168.1.3 secret 's3cr3t0816' - -This configuration results in: - -.. code-block:: none - - show system login - radius-server 192.168.1.2 { - secret s3cr3t0815 - timeout 5 - port 1812 - } - radius-server 192.168.1.3 { - secret s3cr3t0816 - } - -.. note:: If you wan't to have admin users to authenticate via RADIUS it is - essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without - the attribute you will only get regular, non privilegued, system users. - -Source Address -************** - -RADIUS servers could be hardened by only allowing certain IP addresses to connect. -As of this the source address of each RADIUS query can be configured. If this is -not set incoming connections to the RADIUS server will use the nearest interface -address pointing towards the RADIUS server - making it error prone on e.g. OSPF -networks when a link fails. - -.. code-block:: none - - set system login radius-source-address 192.168.1.254 - -Login Banner -^^^^^^^^^^^^ - -You are able to set post-login or pre-login messages with the following lines: - -.. code-block:: none - - set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" - set system login banner post-login "Welcome to VyOS" - -the **\\n** create a newline. - - - |