The default VyOS user account (vyos), as well as newly created user accounts, have all capabilities to configure the system. All accounts have sudo capabilities and therefore can operate as root on the system.
Both local administered and remote administered RADIUS accounts are supported.
Create new system user with username <name> and real-name specified by <string>.
Specify the plaintext password user by user <name> on this system. The plaintext password will be automatically transferred into a secure hashed password and not saved anywhere in plaintext.
Setup encrypted password for given username. This is useful for transferring a hashed password from system to system.
Key Based Authentication
It is highly recommended to use SSH key authentication. By default there is
only one user (
vyos), and you can assign any number of keys to that user.
You can generate a ssh key with the
ssh-keygen command on your local
machine, which will (by default) save it as
Every SSH key comes in three parts:
ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB firstname.lastname@example.org
Only the type (
ssh-rsa) and the key (
AAAB3N...) are used. Note that the
key will usually be several hundred characters long, and you will need to copy
and paste it. Some terminal emulators may accidentally split this over several
lines. Be attentive when you paste it that it only pastes as a single line.
The third part is simply an identifier, and is for your own reference.
Assign the SSH public key portion <key> identified by per-key <identifier> to the local user <username>.
Every SSH public key portion referenced by <identifier> requires the configuration of the <type> of public-key used. This type can be any of:
You can assign multiple keys to the same user by using a unique identifier per SSH key.
Set the options for this public key. See the ssh
authorized_keys man page
for details of what you can specify here. To place a
" character in the
options field, use
", for example
to restrict where the user may connect from when using this key.
loadkey has been deprecated in favour of
generate public-key-commands and will be removed in a future
version. See SSH.
SSH keys can not only be specified on the command-line but also loaded for a given user with <username> from a file pointed to by <location>. Keys can be either loaded from local filesystem or any given remote location using one of the following URIs:
<file>- Load from file on local filesystem path
scp://<user>@<host>:/<file>- Load via SCP from remote machine
sftp://<user>@<host>/<file>- Load via SFTP from remote machine
ftp://<user>@<host>/<file>- Load via FTP from remote machine
http://<host>/<file>- Load via HTTP from remote machine
tftp://<host>/<file>- Load via TFTP from remote machine
MFA/2FA authentication using One-Time-Pad
It is possible to enhance authentication security by using the 2FA/MFA feature together with OTP on VyOS. 2FA/MFA is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user.
Enable OTP 2FA for user username with default settings, using the BASE32 encoded 2FA/MFA key specified by <key>.
Limit logins to <limit> per every
rate-time seconds. Rate limit must be
between 1 and 10 attempts.
Limit logins to
rate-limit attemps per every <seconds>. Rate time must
be between 15 and 600 seconds.
Set window of concurrently valid codes.
By default, a new token is generated every 30 seconds by the mobile application. In order to compensate for possible time-skew between the client and the server, an extra token before and after the current time is allowed. This allows for a time skew of up to 30 seconds between authentication server and client.
For example, if problems with poor time synchronization are experienced, the window can be increased from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server.
The window size must be between 1 and 21.
In large deployments it is not reasonable to configure each user individually on every system. VyOS supports using RADIUS servers as backend for user authentication.
Specify the <address> of the RADIUS server user with the pre-shared-secret given in <secret>. Multiple servers can be specified.
Configure the discrete port under which the RADIUS server can be reached. This defaults to 1812.
Setup the <timeout> in seconds when querying the RADIUS server.
Temporary disable this RADIUS server. It won’t be queried.
RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each RADIUS query can be configured. If this is not set, incoming connections to the RADIUS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken.
If you want to have admin users to authenticate via RADIUS it is
essential to sent the
Cisco-AV-Pair shell:priv-lvl=15 attribute. Without
the attribute you will only get regular, non privilegued, system users.
In the following example, both User1 and User2 will be able to SSH into
VyOS as user
vyos using their very own keys. User1 is restricted to only
be able to connect from a single IP address. In addition if password base login
is wanted for the
vyos user a 2FA/MFA keycode is required in addition to
set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" set system login user vyos authentication public-keys 'User1' type ssh-rsa set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" set system login user vyos authentication public-keys 'User2' type ssh-rsa set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 set system login user vyos authentication plaintext-password vyos