Local user management Configuration

RBFS allows you to create privileges that are configurable for user-defined and pre-defined roles. RBFS supports a combination of permit and deny regular expressions and a configurable default privilege to support both blacklisting and whitelisting of users. If both permit and deny command regular expressions match, the allow regular expression takes precedence.

Creating Roles

To create a role, you need to configure the following:

  • Configure role-based access control (RBAC) privilege for the role

  • Configure the command privilege for the role

It is important to have secure management enabled when granting any type of privilege, whether it is RBAC or command-based, to any user. Without secure management, privileges do not work.

For information about enabling Secure Management, see the section "Configuring Secure Management Logs" of the Securing Management Plane user guide.

Configuring the RBAC Privilege

You need to configure the RBAC privilege for both table and object.

set system authorization global role <name> rbac-permission ( object | table ) <resource> <permission-type>

Command arguments

<name>

Authorization role name

<resource>

Represents resources in the RBFS (table/object)

<permission-type>

Permissions to create, read and delete. The following are the supported RBAC permission types:
-/-/-
-/-/delete
-/read/-
-/read/delete
create/-/-
create/-/delete
create/read/-
create/read/delete

Configuring the Command Privilege

set system authorization global role <name> cmd-permission ( allow-cmds <allow-cmds> | deny-cmds <deny-cmds> )

<role>

Authorization role name

<allow-cmds>

List of allow commands regular expression

<deny-cmds>

List of deny commands regular expression

  • If you configure a privilege for any of the pre-defined roles (supervisor, operator, reader), then it replaces the default privilege.

  • If you delete the configured privilege for a pre-defined role, then it will revert to the default privilege of the role.

  • Priority of privilege rules is as follows: explicit deny, explicit permit, default privilege.

The example below shows the new role named "support" which has RBAC permission to read any table and objects. Also, the user is denied everything except the allowed commands (ping, set, show, traceroute, and watch-mode).

{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "authorization": {
        "global": {
          "role": [
            {
              "name": "support",
              "rbac-permission": [
                {
                  "permission": "-/read/-",
                  "resource-type": "object",
                  "resource": ".*"
                },
                {
                  "permission": "-/read/-",
                  "resource-type": "table",
                  "resource": ".*"
                }
              ],
              "cmd-permission": {
                "allow-cmds": [
                  "ping .*",
                  "set .*",
                  "show .*",
                  "traceroute .*",
                  "watch .*"
                  ],
                "deny-cmds": ".*"
              }
            }
          ]
        }
      }
    }
  }
}
Linux pre-configured users, roles and privileges
User Name Role Name Default Privileges

supervisor

supervisor

Allow all actions

operator

operator

Allow all actions

reader

reader

All commands will be denied other than the commands which match any of the below regular expressions.

"color.*",
"date.*",
"exit.*",
"history.*",
"paging.*",
"ping.*",
"show.*",
"traceroute.*",
"watch-mode.*"

Creating New Users

The new users created through local user management will always have a primary group with the same name and ID of the created user. The new user’s ID will be allocated within the range of 3000 and 3999.

You cannot use usernames such as root, wheel, admin, sudo or any of the SMP Linux pre-configured users and groups such as supervisor, operator, reader. Also, a username cannot start with “rtbrick_”. If a Linux user with the same username already exists but has an ID outside of the 3000-3999 range then the user creation through the RBFS configuration will fail.

To create a new user, enter the following command:

set system user <username>

Command arguments

<username>

Name of the local user

Assigning Roles to Users

A "role" is an RBFS RBAC construct and it is mapped to a Linux group. The list of user roles from the RBFS configuration becomes the list of additional Linux groups that the Linux user belongs to. You can create new users and assign “roles” to the new users. The supervisor, operator, and reader are the pre-defined and pre-configured roles both in Linux and RBFS.

When a user is configured in RBFS under “system users”, RBFS/confd validates that the list of user roles only contain roles that are pre-defined or that are configured under “system authorization”.

Do not create role names that start with “rtbrick_”. In addition, "root", "wheel", "admin", and "sudo" are not acceptable role names.

To assign a role to a new user, enter the following command:

set system user <username> role <role>

Command arguments

<username>

Name of the user

<role>

Role of the user (not the primary role)

Example: Assigning Roles to Users

{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "user": [
        {
          "username": "bob",
          "role": [
            "operator"
            ],
          "shell": "/usr/local/bin/cli",
          "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0"
        }
      ]
    }
  }
}

Configuring Authentication for a New User

There are two ways in which you can create a password for a new user in RBFS:

  1. Creating hashed password

  2. Creating plain-text password

Creating Hashed Password

You can verify the integrity of your password using hashed passwords. When a user is present in the configuration but a "password hashed text" is not present, the password authentication is considered disabled for that specific user.

Three predefined roles include supervisor, operator, and reader. supervisor is the default password for the role supervisor. For the 'operator' and 'reader' roles, there is no default password.

Use the system users supervisor command to disable the default supervisor password.

You can also disable password authentication for any of the predefined users such as supervisor, operator and reader by adding a "system users supervisor" configuration section without any "password hashed text" and thus disabling password authentication for the supervisor user.

SSH public keys can be configured even if "password hashed text" is not present.

To create a password hashed text and authenticate the new user, perform the following steps:

  1. Generate hash password on any Linux server.
    mkpasswd --method=SHA-512

  2. Configure authentication using a password hashed text and an SSH public key.
    set system user <username> password-hashed-text <password-hashed-text>
    set system user <username> ssh-pub-key <ssh-pub-key>

Changing an Existing Hashed Password for Supervisor

You can change an existing hashed password for a 'supervisor' user after logging in to the system.

Syntax:

set system user <username> password-hashed-text <password-hashed-text>
set system user <username> ssh-pub-key <ssh-pub-key>

Example Command:

set system user supervisor password-hashed-text $6$HIPXmd0uiLD0RtcT$3V7YxFJWR3b6NEGGd41RCT0TseWgdKLFAl6RecvDOqIUnaCHMt0zo0ZZR4/1
Command arguments

<username>

Name of the user.

<password-hashed-text>

Password string.

<ssh-pub-key>

public keys of a user. You can specify multiple ssh-pub-keys.

  1. Log in using username and password hashed text.

Example
{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "user": [
        {
          "username": "bob",
          "shell": "/usr/local/bin/cli",
          "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7",
          "ssh-pub-key": [
            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQCBAAABAQCubg5sdDycPN5EViNkV6w7rfp2GAfKWuInfaL3xOXyvSNpsmaHILYmgrLUU0GKQH9gauPUJpDcvvYaMt0ZBuTbWHVMUc4cvhgbNDkTB2bG2cTZ5QzbicyXff3BlDWQThVp2LtVBiW2tf7JTTa9SnL4Lnm+CQcXsQ0rxqy2S6bJpsRYlFMyQl/hZ4QEWE153dw0HGvcG8mjfnPN4wvCc/omfD3ljxx+Gf4oFS0davX6pdphUKLvgL33VVG5xaK71imv2l3897LIJZaHxy7FbB+CjSYT6QNq1XksX8omrbRjiP3enEQi/bANtzTNnGDnIm1KHf3xuKpoKw+B5fhDZogx"
            ]
        }
      ]
    }
  }
}

Creating Plain-Text Password

To configure a password with plain text password for a new user, use the following command.

Syntax:

set system user <username> password-plain-text <password-plain-text>

Command arguments

<username>

Name of the user

<password-plain-text>

Specifies the plain-text password

Example for Configuring Plain Text Password
set system user bob password-plain-text bob123
set system user bob shell /usr/local/bin/cli
set system user bob role operator

Changing an Existing Plain-Text Password for Supervisor

You can change an existing plain text password for the 'supervisor' user after logging into the system. Use the following commands to change an existing password.

Syntax:

set system user <username> password-plain-text <password-plain-text>

Sample Commands:

set system user supervisor shell /bin/bash
set system user supervisor password-plain-text rtbrick
Viewing Configuration of Plain Text Password
{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "user": [
        {
          "username": "bob",
          "role": [
            "operator"
            ],
          "shell": "/usr/local/bin/cli",
          "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0"
        }
      ]
    }
  }
}

Setting the User Shell

RBFS validates that the shell is one of the following 3 valid options:

  • /usr/sbin/nologin

  • /bin/bash

  • /usr/local/bin/cli

To configure user shell, enter the following command:

set system user <username> shell <shell>

Command arguments

<username>

Name of the user

<shell>

Name of the shell

Example
root@rtbrick: cfg> set system user smith shell /usr/local/bin/cli

Specifying the Display Name for User Names

The display name allows you to specify a preferred name so that you can easily identify the user. You can change your display name by entering the following command:

set system user <username> display-name <display_name>

Command arguments

<username>

Name of the user

<display_name>

Display name to easily identify the user

Example
set system user smith display-name primeuser

Enabling or disabling CLI access

You can control a user’s access to the CLI. By default, users will have access to the CLI.

set system user <username> no-cli-access < true | false >

Command arguments

<username>

Name of the user

<true | false>

When the no-cli-access is set to true, the user’s access to the CLI is disabled. When the no-cli-access is set to false, the user will be able access the CLI.

Example
set system user smith no-cli-access false

Configuring sudo Without Password

You can configure local system users to log in via passwords or using SSH keys. From a security perspective, it is desirable to allow authentication with SSH keys only. RBFS provides a configuration knob to disable the requirement for a 'sudo' password so that local users can authenticate with SSH keys only. This knob is configurable only if the user or one of its roles is supervisor.

You can enter the following command to enable or disable the 'sudo' password. By default, this is set to false which ensures that the supervisor must provide a password when using sudo.

set system user <user> no-sudo-password < true | false >

Command arguments

<username>

Name of the user

<true | false>

When the no-sudo-password is set to true, it indicates that a 'sudo' password is not required. When it is set to false, it indicates that the supervisor must provide a password when using sudo.

Example Configuration:

{
    "rtbrick-config:user": [
      {
        "username": "smith",
        "role": "supervisor",
        "shell": "/bin/bash",
        "ssh-pub-key": "ssh-rsa AAAAB3Nza<...>",
        "no-sudo-password": "true"
      }
    ]
 }

Note: If 'no-sudo-password' is set, you can log in with your SSH key.

Configuring Fail2Ban

The failed SSH login attempts from one user over an SSH jump host affect other users from the same jump host. You can configure Fail2Ban, which enables you to whitelist some IP addresses by creating separate jails for each user connecting through the jump host. In this way, failed login attempts by one user will not affect another user.

The following Fail2Ban command allows you to configure a list of IP addresses to include those IP addresses in the whitelist. You can specify multiple IP addresses that you want to exclude from the ban. Fail2Ban is applicable to both the ONL and the Linux container.

Syntax:

set system platform-management fail2ban ignore-ip <ignore-ip>

Command arguments

ignore-ip <ignore-ip>

Specify the IP addresses in CIDR notation which are to be whitelisted.

Example commands for configuration:

supervisor@rtbrick>LEAF01: cfg> show config set
set system
set system platform-management fail2ban ignore-ip 10.1.1.1/32
set system platform-management fail2ban ignore-ip 10.1.1.2/32
set system platform-management fail2ban ignore-ip 10.2.2.0/24

Example Configuration:

supervisor@rtbrick>LEAF01: cfg> show config
{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "platform-management": {
        "fail2ban": {
          "ignore-ip": [
            "10.1.1.1/32",
            "10.1.1.2/32",
            "10.2.2.0/24"
            ]
        }
      }
    }
  }
}