From 4872481ebca1a455339a6c1251c36b2f4938901d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Dec 2019 17:55:09 +0100 Subject: user-management: migrate to new clicmd syntax --- docs/system/user-management.rst | 176 ++++++++++++++++++++++++---------------- 1 file changed, 104 insertions(+), 72 deletions(-) (limited to 'docs/system/user-management.rst') diff --git a/docs/system/user-management.rst b/docs/system/user-management.rst index 5c5e46f2..b2dd3d08 100644 --- a/docs/system/user-management.rst +++ b/docs/system/user-management.rst @@ -9,121 +9,153 @@ have all capabilities to configure the system. All accounts have sudo capabilities and therefore can operate as root on the system. Setting the level to `admin` is optional, all accounts on the system will have admin privileges. -Both local administered and remote administered RADIUS (Remote Authentication -Dial-In User Service) accounts are supported. +Both local administered and remote administered :abbr:`RADIUS (Remote +Authentication Dial-In User Service)` accounts are supported. Local ===== -Create user account `jsmith` and the password `mypassword`. +.. cfgcmd:: set system login user '' full-name "" -.. code-block:: none + Create new system user with username `` and real-name specified by + ``. - set system login user jsmith full-name "Johan Smith" - set system login user jsmith authentication plaintext-password mypassword +.. cfgcmd:: set system login user '' authentication plaintext-password '' -The command: + Specify the plaintext password user by user `` on this system. The + plaintext password will be automatically transferred into a secure hashed + password and not saved anywhere in plaintext. -.. code-block:: none +.. cfgcmd:: set system login user '' authentication encrypted-password '' - show system login + Setup encrypted password for given username. This is usefull for + transferring a hashed password from system to system. -will show the contents of :code:`system login` configuration node: +.. cfgcmd:: set system login user '' group '' -.. code-block:: none + Specify additional group membership for given username ``. - user jsmith { - authentication { - encrypted-password $6$0OQH[...]vViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. - plaintext-password "" - } - full-name "Johan Smith" - level admin - } +.. _ssh_key_based_authentication: -SSH with Public Keys --------------------- +Key Based Authentication +------------------------ -The following command will load the public key `dev.pub` for user `jsmith` +It is highly recommended to use SSH key authentication. By default there is +only one user (``vyos``), and you can assign any number of keys to that user. +You can generate a ssh key with the ``ssh-keygen`` command on your local +machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``. -.. code-block:: none +Every SSH key comes in three parts: - loadkey jsmith dev.pub +``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com`` -.. note:: This requires uploading the `dev.pub` public key to the VyOS router - first. As an alternative you can also load the SSH public key directly - from a remote system: +Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the +key will usually be several hundred characters long, and you will need to copy +and paste it. Some terminal emulators may accidentally split this over several +lines. Be attentive when you paste it that it only pastes as a single line. +The third part is simply an identifier, and is for your own reference. -.. code-block:: none +.. cfgcmd:: set system login user '' authentication public-keys '' key '' + + Assign the SSH public key portion `` identified by per-key + `` to the local user ``. + +.. cfgcmd:: set system login user '' authentication public-keys '' type '' + + Every SSH public key portion referenced by `` requires the + configuration of the `` of public-key used. This type can be any of: + + * ``ecdsa-sha2-nistp256`` + * ``ecdsa-sha2-nistp384`` + * ``ecdsa-sha2-nistp521`` + * ``ssh-dss`` + * ``ssh-ed25519`` + * ``ssh-rsa`` + + .. note:: You can assign multiple keys to the same user by using a unique + identifier per SSH key. + +.. cfgcmd:: loadkey '' '' - loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub + SSH keys can not only be specified on the command-line but also loaded for + a given user with `` from a file pointed to by `.` Keys + can be either loaded from local filesystem or any given remote location + using one of the following :abbr:`URIs (Uniform Resource Identifier)`: -In addition SSH public keys can be fully added using the CLI. Each key can be -given a unique identifier, `calypso` is used oin the example below to id an SSH -key. + * ```` - Load from file on local filesystem path + * ``scp://@/`` - Load via SCP from remote machine + * ``sftp://@/`` - Load via SFTP from remote machine + * ``ftp://@/`` - Load via FTP from remote machine + * ``http:///`` - Load via HTTP from remote machine + * ``tftp:///`` - Load via TFTP from remote machine + +Example +------- + +In the following example, both `User1` and `User2` will be able to SSH into +VyOS as user ``vyos`` using their very own keys. .. code-block:: none - set system login user jsmith authentication public-keys callisto key 'AAAABo..Q==' - set system login user jsmith authentication public-keys callisto type 'ssh-rsa' + set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" + set system login user vyos authentication public-keys 'User1' type ssh-rsa + set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" + set system login user vyos authentication public-keys 'User2' type ssh-rsa + RADIUS ====== -VyOS supports using one or more RADIUS servers as backend for user authentication. +In large deployments it is not reasonable to configure each user individually +on every system. VyOS supports using :abbr:`RADIUS (Remote Authentication +Dial-In User Service)` servers as backend for user authentication. -The following command sets up two servers for RADIUS authentication, one with a -discrete timeout of `5` seconds and a discrete port of `1812` and the other using -a default timeout and port. +Configuration +------------- -.. code-block:: none +.. cfgcmd:: set system login radius server '
' secret '' - set system login radius server 192.168.1.2 secret 's3cr3t0815' - set system login radius server 192.168.1.2 timeout '5' - set system login radius server 192.168.1.2 port '1812' - set system login radius server 192.168.1.3 secret 's3cr3t0816' + Specify the `
` of the RADIUS server user with the pre-shared-secret + given in ``. Multiple servers can be specified. -This configuration results in: +.. cfgcmd:: set system login radius server '
' port '' -.. code-block:: none + Configure the discrete port under which the RADIUS server can be reached. + This defaults to 1812. + +.. cfgcmd:: set system login radius server '
' timeout '' - show system login - radius { - server 192.168.1.2 { - secret s3cr3t0815 - timeout 5 - port 1812 - } - server 192.168.1.3 { - secret s3cr3t0816 - } - } - -.. note:: If you wan't to have admin users to authenticate via RADIUS it is + Setup the `` in seconds when querying the RADIUS server. + +.. hint:: If you wan't to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users. -Source Address --------------- -RADIUS servers could be hardened by only allowing certain IP addresses to connect. -As of this the source address of each RADIUS query can be configured. If this is -not set incoming connections to the RADIUS server will use the nearest interface -address pointing towards the RADIUS server - making it error prone on e.g. OSPF -networks when a link fails. +.. cfgcmd:: set system login radius source-address '
' -.. code-block:: none + RADIUS servers could be hardened by only allowing certain IP addresses to + connect. As of this the source address of each RADIUS query can be + configured. If this is not set, incoming connections to the RADIUS server + will use the nearest interface address pointing towards the server - making + it error prone on e.g. OSPF networks when a link fails and a backup route is + taken. - set system login radius source-address 192.168.1.254 Login Banner ============ -You are able to set post-login or pre-login messages with the following lines: +You are able to set post-login or pre-login banner messages to display certain +information for this system. -.. code-block:: none +.. cfgcmd:: set system login banner pre-login '' + + Configure `` which is shown during SSH connect and before a user is + logged in. + +.. cfgcmd:: set system login banner post-login '' - set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" - set system login banner post-login "Welcome to VyOS" + Configure `` which is shown after user has logged in to the system. -**\\n** create a newline. +.. note:: To create a new line in your login message you need to escape the new + line character by using ``\\n``. -- cgit v1.2.3