User Management¶
The default VyOS user account (vyos), as well as newly created user accounts, have all capabilities to configure the system. All accounts have sudo capabilities and therefore can operate as root on the system.
Both local administered and remote administered RADIUS accounts are supported.
Local¶
Key Based Authentication¶
It is highly recommended to use SSH key authentication. By default there is
only one user (vyos
), and you can assign any number of keys to that user.
You can generate a ssh key with the ssh-keygen
command on your local
machine, which will (by default) save it as ~/.ssh/id_rsa.pub
.
Every SSH key comes in three parts:
ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com
Only the type (ssh-rsa
) and the key (AAAB3N...
) are used. Note that the
key will usually be several hundred characters long, and you will need to copy
and paste it. Some terminal emulators may accidentally split this over several
lines. Be attentive when you paste it that it only pastes as a single line.
The third part is simply an identifier, and is for your own reference.
Every SSH public key portion referenced by <identifier> requires the configuration of the <type> of public-key used. This type can be any of:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-dss
ssh-ed25519
ssh-rsa
Note
You can assign multiple keys to the same user by using a unique identifier per SSH key.
SSH keys can not only be specified on the command-line but also loaded for a given user with <username> from a file pointed to by <location>. Keys can be either loaded from local filesystem or any given remote location using one of the following URIs:
<file>
- Load from file on local filesystem pathscp://<user>@<host>:/<file>
- Load via SCP from remote machinesftp://<user>@<host>/<file>
- Load via SFTP from remote machineftp://<user>@<host>/<file>
- Load via FTP from remote machinehttp://<host>/<file>
- Load via HTTP from remote machinetftp://<host>/<file>
- Load via TFTP from remote machine
Example¶
In the following example, both User1 and User2 will be able to SSH into
VyOS as user vyos
using their very own keys.
set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
set system login user vyos authentication public-keys 'User1' type ssh-rsa
set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
set system login user vyos authentication public-keys 'User2' type ssh-rsa
RADIUS¶
In large deployments it is not reasonable to configure each user individually on every system. VyOS supports using RADIUS servers as backend for user authentication.
Configuration¶
Hint
If you want to have admin users to authenticate via RADIUS it is
essential to sent the Cisco-AV-Pair shell:priv-lvl=15
attribute. Without
the attribute you will only get regular, non privilegued, system users.
Login Banner¶
You are able to set post-login or pre-login banner messages to display certain information for this system.
Note
To create a new line in your login message you need to escape the new
line character by using \\n
.