Local user management Configuration
RBFS allows you to create privileges that are configurable for user-defined and pre-defined roles. RBFS supports a combination of permit and deny regular expressions and a configurable default privilege to support both blacklisting and whitelisting of users. If both permit and deny command regular expressions match, the allow regular expression takes precedence.
Creating Roles
To create a role, you need to configure the following:
-
Configure role-based access control (RBAC) privilege for the role
-
Configure the command privilege for the role
It is important to have secure management enabled when granting any type of privilege, whether it is RBAC or command-based, to any user. Without secure management, privileges do not work. |
For information about enabling Secure Management, see the section "Configuring Secure Management Logs" of the Securing Management Plane user guide.
Configuring the RBAC Privilege
You need to configure the RBAC privilege for both table and object.
Command arguments
<name> |
Authorization role name |
<resource> |
Represents resources in the RBFS (table/object) |
<permission-type> |
Permissions to create, read and
delete. The following are the supported RBAC permission types: |
Configuring the Command Privilege
<role> |
Authorization role name |
<allow-cmds> |
List of allow commands regular expression |
<deny-cmds> |
List of deny commands regular expression |
|
The example below shows the new role named "support" which has RBAC permission to read any table and objects. Also, the user is denied everything except the allowed commands (ping, set, show, traceroute, and watch-mode).
{ "ietf-restconf:data": { "rtbrick-config:system": { "authorization": { "global": { "role": [ { "name": "support", "rbac-permission": [ { "permission": "-/read/-", "resource-type": "object", "resource": ".*" }, { "permission": "-/read/-", "resource-type": "table", "resource": ".*" } ], "cmd-permission": { "allow-cmds": [ "ping .*", "set .*", "show .*", "traceroute .*", "watch .*" ], "deny-cmds": ".*" } } ] } } } } }
Linux pre-configured users, roles and privileges
User Name | Role Name | Default Privileges |
---|---|---|
supervisor |
supervisor |
Allow all actions |
operator |
operator |
Allow all actions |
reader |
reader |
All commands will be denied other than the commands which match any of the below regular expressions. "color.*", "date.*", "exit.*", "history.*", "paging.*", "ping.*", "show.*", "traceroute.*", "watch-mode.*" |
Creating New Users
The new users created through local user management will always have a primary group with the same name and ID of the created user. The new user’s ID will be allocated within the range of 3000 and 3999.
You cannot use usernames such as root , wheel , admin , sudo or any of the SMP Linux pre-configured users and groups such as supervisor , operator , reader . Also, a username cannot start with “rtbrick_”. If a Linux user with the same username already exists but has an ID outside of the 3000-3999 range then the user creation through the RBFS configuration will fail.
|
To create a new user, enter the following command:
Command arguments
<username> |
Name of the local user |
Assigning Roles to Users
A "role" is an RBFS RBAC construct and it is mapped to a Linux group. The list of user roles from the RBFS configuration becomes the list of additional Linux groups that the Linux user belongs to. You can create new users and assign “roles” to the new users. The supervisor
, operator
, and reader
are the pre-defined and pre-configured roles both in Linux and RBFS.
When a user is configured in RBFS under “system users”, RBFS/confd validates that the list of user roles only contain roles that are pre-defined or that are configured under “system authorization”.
Do not create role names that start with “rtbrick_”. In addition, "root", "wheel", "admin", and "sudo" are not acceptable role names. |
To assign a role to a new user, enter the following command:
Command arguments
<username> |
Name of the user |
<role> |
Role of the user (not the primary role) |
Example: Assigning Roles to Users
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "role": [ "operator" ], "shell": "/usr/local/bin/cli", "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0" } ] } } }
Configuring Authentication for a New User
There are two ways in which you can create a password for a new user in RBFS:
-
Creating hashed password
-
Creating plain-text password
Creating Hashed Password
You can verify the integrity of your password using hashed passwords. When a user is present in the configuration but a "password hashed text" is not present, the password authentication is considered disabled for that specific user.
Three predefined roles include supervisor
, operator
, and reader
. supervisor
is the default password for the role supervisor. For the 'operator' and 'reader' roles, there is no default password.
Use the system users supervisor
command to disable the default supervisor password.
You can also disable password authentication for any of the predefined users such as supervisor
, operator
and reader
by adding a "system users supervisor" configuration section without any "password hashed text" and thus disabling password authentication for the supervisor user.
SSH public keys can be configured even if "password hashed text" is not present.
To create a password hashed text and authenticate the new user, perform the following steps:
-
Generate hash password on any Linux server.
mkpasswd --method=SHA-512
-
Configure authentication using a password hashed text and an SSH public key.
set system user <username> password-hashed-text <password-hashed-text>
set system user <username> ssh-pub-key <ssh-pub-key>
Changing an Existing Hashed Password for Supervisor
You can change an existing hashed password for a 'supervisor' user after logging in to the system.
Syntax:
set system user <username> password-hashed-text <password-hashed-text>
set system user <username> ssh-pub-key <ssh-pub-key>
Example Command:
set system user supervisor password-hashed-text $6$HIPXmd0uiLD0RtcT$3V7YxFJWR3b6NEGGd41RCT0TseWgdKLFAl6RecvDOqIUnaCHMt0zo0ZZR4/1
Command arguments
<username> |
Name of the user. |
<password-hashed-text> |
Password string. |
<ssh-pub-key> |
public keys of a user. You can specify multiple ssh-pub-keys. |
-
Log in using username and password hashed text.
|
Example
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "shell": "/usr/local/bin/cli", "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7", "ssh-pub-key": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQCBAAABAQCubg5sdDycPN5EViNkV6w7rfp2GAfKWuInfaL3xOXyvSNpsmaHILYmgrLUU0GKQH9gauPUJpDcvvYaMt0ZBuTbWHVMUc4cvhgbNDkTB2bG2cTZ5QzbicyXff3BlDWQThVp2LtVBiW2tf7JTTa9SnL4Lnm+CQcXsQ0rxqy2S6bJpsRYlFMyQl/hZ4QEWE153dw0HGvcG8mjfnPN4wvCc/omfD3ljxx+Gf4oFS0davX6pdphUKLvgL33VVG5xaK71imv2l3897LIJZaHxy7FbB+CjSYT6QNq1XksX8omrbRjiP3enEQi/bANtzTNnGDnIm1KHf3xuKpoKw+B5fhDZogx" ] } ] } } }
Creating Plain-Text Password
To configure a password with plain text password for a new user, use the following command.
Syntax:
set system user <username> password-plain-text <password-plain-text>
Command arguments
<username> |
Name of the user |
<password-plain-text> |
Specifies the plain-text password |
Example for Configuring Plain Text Password
set system user bob password-plain-text bob123 set system user bob shell /usr/local/bin/cli set system user bob role operator
Changing an Existing Plain-Text Password for Supervisor
You can change an existing plain text password for the 'supervisor' user after logging into the system. Use the following commands to change an existing password.
Syntax:
set system user <username> password-plain-text <password-plain-text>
Sample Commands:
set system user supervisor shell /bin/bash set system user supervisor password-plain-text rtbrick
Viewing Configuration of Plain Text Password
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "role": [ "operator" ], "shell": "/usr/local/bin/cli", "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0" } ] } } }
Setting the User Shell
RBFS validates that the shell is one of the following 3 valid options:
-
/usr/sbin/nologin
-
/bin/bash
-
/usr/local/bin/cli
To configure user shell, enter the following command:
Command arguments
<username> |
Name of the user |
<shell> |
Name of the shell |
Example
root@rtbrick: cfg> set system user smith shell /usr/local/bin/cli
Specifying the Display Name for User Names
The display name allows you to specify a preferred name so that you can easily identify the user. You can change your display name by entering the following command:
Command arguments
<username> |
Name of the user |
<display_name> |
Display name to easily identify the user |
Example
set system user smith display-name primeuser
Enabling or disabling CLI access
You can control a user’s access to the CLI. By default, users will have access to the CLI.
Command arguments
<username> |
Name of the user |
<true | false> |
When the no-cli-access is set to |
Example
set system user smith no-cli-access false
Configuring sudo Without Password
You can configure local system users to log in via passwords or using SSH keys. From a security perspective, it is desirable to allow authentication with SSH keys only. RBFS provides a configuration knob to disable the requirement for a 'sudo' password so that local users can authenticate with SSH keys only. This knob is configurable only if the user or one of its roles is supervisor
.
You can enter the following command to enable or disable the 'sudo' password. By default, this is set to false which ensures that the supervisor must provide a password when using sudo.
Command arguments
<username> |
Name of the user |
<true | false> |
When the |
Example Configuration:
{ "rtbrick-config:user": [ { "username": "smith", "role": "supervisor", "shell": "/bin/bash", "ssh-pub-key": "ssh-rsa AAAAB3Nza<...>", "no-sudo-password": "true" } ] }
Note: If 'no-sudo-password' is set, you can log in with your SSH key.
Configuring Fail2Ban
The failed SSH login attempts from one user over an SSH jump host affect other users from the same jump host. You can configure Fail2Ban, which enables you to whitelist some IP addresses by creating separate jails for each user connecting through the jump host. In this way, failed login attempts by one user will not affect another user.
The following Fail2Ban command allows you to configure a list of IP addresses to include those IP addresses in the whitelist. You can specify multiple IP addresses that you want to exclude from the ban. Fail2Ban is applicable to both the ONL and the Linux container.
Syntax:
Command arguments
ignore-ip <ignore-ip> |
Specify the IP addresses in CIDR notation which are to be whitelisted. |
Example commands for configuration:
supervisor@rtbrick>LEAF01: cfg> show config set set system set system platform-management fail2ban ignore-ip 10.1.1.1/32 set system platform-management fail2ban ignore-ip 10.1.1.2/32 set system platform-management fail2ban ignore-ip 10.2.2.0/24
Example Configuration:
supervisor@rtbrick>LEAF01: cfg> show config { "ietf-restconf:data": { "rtbrick-config:system": { "platform-management": { "fail2ban": { "ignore-ip": [ "10.1.1.1/32", "10.1.1.2/32", "10.2.2.0/24" ] } } } } }