From 925dc9d5e64a881825653ddd5df13e2672792947 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Dec 2019 17:22:26 +0100 Subject: user-management: use documented section style guide --- docs/system/basic-index.rst | 2 +- docs/system/login-users.rst | 128 --------------------------------------- docs/system/user-management.rst | 129 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 129 deletions(-) delete mode 100644 docs/system/login-users.rst create mode 100644 docs/system/user-management.rst (limited to 'docs') diff --git a/docs/system/basic-index.rst b/docs/system/basic-index.rst index 82ce98e9..9e559dba 100644 --- a/docs/system/basic-index.rst +++ b/docs/system/basic-index.rst @@ -8,5 +8,5 @@ System Configuration :maxdepth: 2 host-information - login-users + user-management time-zone diff --git a/docs/system/login-users.rst b/docs/system/login-users.rst deleted file mode 100644 index 424d1978..00000000 --- a/docs/system/login-users.rst +++ /dev/null @@ -1,128 +0,0 @@ -.. _systemusers: - -Login ------ - -The default VyOS user account (`vyos`), as well as newly created user accounts, -have all capabilities to configure the system. All accounts have sudo capabilities -and therefore can operate as root on the system. Setting the level to admin is -optional, all accounts on the system will have admin privileges. - -Both local administered and remote administered RADIUS (Remote Authentication -Dial-In User Service) accounts are supported. - -Local -^^^^^ - -Create user account `jsmith` and the password `mypassword`. - -.. code-block:: none - - set system login user jsmith full-name "Johan Smith" - set system login user jsmith authentication plaintext-password mypassword - -The command: - -.. code-block:: none - - show system login - -will show the contents of :code:`system login` configuration node: - -.. code-block:: none - - user jsmith { - authentication { - encrypted-password $6$0OQH[...]vViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. - plaintext-password "" - } - full-name "Johan Smith" - level admin - } - -SSH with Public Keys -******************** - -The following command will load the public key `dev.pub` for user `jsmith` - -.. code-block:: none - - loadkey jsmith dev.pub - -.. note:: This requires uploading the `dev.pub` public key to the VyOS router - first. As an alternative you can also load the SSH public key directly - from a remote system: - -.. code-block:: none - - loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub - -In addition SSH public keys can be fully added using the CLI. Each key can be -given a unique identifier, `calypso` is used oin the example below to id an SSH -key. - -.. code-block:: none - - set system login user jsmith authentication public-keys callisto key 'AAAABo..Q==' - set system login user jsmith authentication public-keys callisto type 'ssh-rsa' - -RADIUS -^^^^^^ - -VyOS supports using one or more RADIUS servers as backend for user authentication. - -The following command sets up two servers for RADIUS authentication, one with a -discrete timeout of `5` seconds and a discrete port of `1812` and the other using -a default timeout and port. - -.. code-block:: none - - set system login radius server 192.168.1.2 secret 's3cr3t0815' - set system login radius server 192.168.1.2 timeout '5' - set system login radius server 192.168.1.2 port '1812' - set system login radius server 192.168.1.3 secret 's3cr3t0816' - -This configuration results in: - -.. code-block:: none - - show system login - radius { - server 192.168.1.2 { - secret s3cr3t0815 - timeout 5 - port 1812 - } - server 192.168.1.3 { - secret s3cr3t0816 - } - } - -.. note:: If you wan't to have admin users to authenticate via RADIUS it is - essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without - the attribute you will only get regular, non privilegued, system users. - -Source Address -************** - -RADIUS servers could be hardened by only allowing certain IP addresses to connect. -As of this the source address of each RADIUS query can be configured. If this is -not set incoming connections to the RADIUS server will use the nearest interface -address pointing towards the RADIUS server - making it error prone on e.g. OSPF -networks when a link fails. - -.. code-block:: none - - set system login radius source-address 192.168.1.254 - -Login Banner -^^^^^^^^^^^^ - -You are able to set post-login or pre-login messages with the following lines: - -.. code-block:: none - - set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" - set system login banner post-login "Welcome to VyOS" - -**\\n** create a newline. diff --git a/docs/system/user-management.rst b/docs/system/user-management.rst new file mode 100644 index 00000000..5c5e46f2 --- /dev/null +++ b/docs/system/user-management.rst @@ -0,0 +1,129 @@ +.. _user_management: + +############### +User Management +############### + +The default VyOS user account (`vyos`), as well as newly created user accounts, +have all capabilities to configure the system. All accounts have sudo +capabilities and therefore can operate as root on the system. Setting the level +to `admin` is optional, all accounts on the system will have admin privileges. + +Both local administered and remote administered RADIUS (Remote Authentication +Dial-In User Service) accounts are supported. + +Local +===== + +Create user account `jsmith` and the password `mypassword`. + +.. code-block:: none + + set system login user jsmith full-name "Johan Smith" + set system login user jsmith authentication plaintext-password mypassword + +The command: + +.. code-block:: none + + show system login + +will show the contents of :code:`system login` configuration node: + +.. code-block:: none + + user jsmith { + authentication { + encrypted-password $6$0OQH[...]vViOFPBoFxIi.iqjqrvsQdQ./cfiiPT. + plaintext-password "" + } + full-name "Johan Smith" + level admin + } + +SSH with Public Keys +-------------------- + +The following command will load the public key `dev.pub` for user `jsmith` + +.. code-block:: none + + loadkey jsmith dev.pub + +.. note:: This requires uploading the `dev.pub` public key to the VyOS router + first. As an alternative you can also load the SSH public key directly + from a remote system: + +.. code-block:: none + + loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub + +In addition SSH public keys can be fully added using the CLI. Each key can be +given a unique identifier, `calypso` is used oin the example below to id an SSH +key. + +.. code-block:: none + + set system login user jsmith authentication public-keys callisto key 'AAAABo..Q==' + set system login user jsmith authentication public-keys callisto type 'ssh-rsa' + +RADIUS +====== + +VyOS supports using one or more RADIUS servers as backend for user authentication. + +The following command sets up two servers for RADIUS authentication, one with a +discrete timeout of `5` seconds and a discrete port of `1812` and the other using +a default timeout and port. + +.. code-block:: none + + set system login radius server 192.168.1.2 secret 's3cr3t0815' + set system login radius server 192.168.1.2 timeout '5' + set system login radius server 192.168.1.2 port '1812' + set system login radius server 192.168.1.3 secret 's3cr3t0816' + +This configuration results in: + +.. code-block:: none + + show system login + radius { + server 192.168.1.2 { + secret s3cr3t0815 + timeout 5 + port 1812 + } + server 192.168.1.3 { + secret s3cr3t0816 + } + } + +.. note:: If you wan't to have admin users to authenticate via RADIUS it is + essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without + the attribute you will only get regular, non privilegued, system users. + +Source Address +-------------- + +RADIUS servers could be hardened by only allowing certain IP addresses to connect. +As of this the source address of each RADIUS query can be configured. If this is +not set incoming connections to the RADIUS server will use the nearest interface +address pointing towards the RADIUS server - making it error prone on e.g. OSPF +networks when a link fails. + +.. code-block:: none + + set system login radius source-address 192.168.1.254 + +Login Banner +============ + +You are able to set post-login or pre-login messages with the following lines: + +.. code-block:: none + + set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" + set system login banner post-login "Welcome to VyOS" + +**\\n** create a newline. -- cgit v1.2.3