Login: add RADIUS system login chapter

1 files changed, 87 insertions, 0 deletions

diff --git a/docs/system/system-users.rst b/docs/system/system-users.rst
new file mode 100644
index 00000000..338b8b86
--- /dev/null
+++ b/docs/system/system-users.rst
@@ -0,0 +1,87 @@
+.. _systemusers:
+
+System Users
+------------
+
+The default vyos user account, as well as newly created user accounts, have all
+capabilities to configure the system. All accounts have sudo capabilities and
+therefore can operate as root on the system. Setting the level to admin is
+optional, all accounts on the system will have admin privileges.
+
+
+Creating Login User Accounts
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Create user account `jsmith` and the password `mypassword`.
+
+.. code-block:: sh
+
+  set system login user jsmith full-name "Johan Smith"
+  set system login user jsmith authentication plaintext-password mypassword
+
+The command:
+
+.. code-block:: sh
+
+  show system login
+
+will show the contents of :code:`system login` configuration node:
+
+.. code-block:: sh
+
+  user jsmith {
+      authentication {
+          encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT.
+          plaintext-password ""
+      }
+      full-name "Johan Smith"
+      level admin
+  }
+
+SSH Access using Shared Public Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following command will load the public key `dev.pub` for user `jsmith`
+
+.. code-block:: sh
+
+  loadkey jsmith dev.pub
+
+.. note:: This requires uploading the `dev.pub` public key to the VyOS router
+   first. As an alternative you can also load the SSH public key directly
+   from a remote system:
+
+.. code-block:: sh
+
+  loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub
+
+RADIUS authentication backend
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+VyOS supports using one or more RADIUS servers as backend for user authentication.
+
+The following command sets up two servers for RADIUS authentication, one with a
+discrete timeout of `5` seconds and a discrete port of `1812` and the other using
+a default timeout and port.
+
+.. code-block:: sh
+
+  set system login radius server 192.168.1.2 secret 's3cr3t0815'
+  set system login radius server 192.168.1.2 timeout '5'
+  set system login radius server 192.168.1.2 port '1812'
+  set system login radius server 192.168.1.3 secret 's3cr3t0816'
+
+This configuration results in:
+
+.. code-block:: sh
+
+  show system login radius
+   server 192.168.1.2 {
+       secret s3cr3t0815
+       timeout 5
+       port 1812
+   }
+   server 192.168.1.3 {
+       secret s3cr3t0816
+   }
+