User Accounts
In addition to the two factory accounts user and admin, you may also authenticate using local accounts, RADIUS, or TACACS+.
Named SSH Keys
ssh alice@10.0.0.1 whether or not a local
account, TACACS+ account, or RADIUS account exists. Moreover, if a local account,
TACACS+ account, or RADIUS account named alice exists in the user class
but Alice's SSH authorized-key exists in the admin class, Alice can still authenticate
as an administrator because SSH keys take precedence over other authentication methods
and account types. Conversely, if Alice's SSH key were imported into the user class but
a local account, TACACS+ account, or RADIUS account in the admin class were created for
Alice, she would by default log in as an ordinary user and not as an administrator. This
happens because SSH clients usually try public key authentication before attempting
password-based authentication. To authenticate using password-based authentication when
public key authentication is an option, use the -o option:
ssh -o PubkeyAuthentication=no alice@10.0.0.1SSH authorized keys also take precedence over the default factory accounts. If you
disable the factory accounts but import an SSH key as the admin user, you can still
authenticate with ssh admin@10.0.0.1 even when factory accounts are
disabled.
When removing a user from a system, remember to remove any named SSH keys.
Local User Accounts
The Enterprise SBC comes with two local, factory accounts for access. System administrators may create additional local accounts for each user or administrator who needs to access the Enterprise SBC. Local accounts ensure your ability to audit an individual's activity on the Enterprise SBC.
When you create a local account, you must specify the username and user class. The username must be unique and must meet these requirements:
- Start with a lowercase letter or an underscore.
- Use only lowercase letters, digits, underscores, and hyphens after the first character.
- Contain no more than 31 characters.
You cannot use user or admin as a username.
There are two user classes: user and admin.
Local accounts in the user class have the same access level as the factory user account,
and local accounts in the admin class have the same access level as the factory admin
account.
After you create a second administrator account, you can disable the factory
user and admin accounts. The Enterprise SBC
requires at least one administrator account. Only administrators can delete accounts,
and administrators cannot delete their own accounts. Use the
factory-accounts command to disable or re-enable the factory
accounts.
cli.audit.log records the timestamp, the local
account name, the connecting IP address, and the command run by any user or
administrator.2020-10-01 15:35:06.530 TaskID: 0xab7c8710, admin@10.2.2.7 : 'show users'
2020-10-01 15:36:14.112 TaskID: 0xab7c8710, alice@10.2.2.8 : 'show users'
Delete Local Accounts with Invalid Usernames
If an existing local account username does not meet the username requirements, the CLI rejects the delete command because the username is invalid. To delete the account, correct the username in a backup configuration, restore the updated configuration, and then delete the account by using the updated username.
- Back up the current Enterprise SBC configuration.
- Extract the configuration XML from the backup.
- In
<localAccounts>, change both theUserNamevalue and the matching<key>value to a username that meets the requirements. For example, changeJohnSmithtojohnsmith. - Restore the modified configuration.
- Run the delete command with the updated username.
local-accounts delete johnsmith
Local Accounts and TACACS+
When the tacacs-authentication-only attribute is enabled
in the security configuration element or when the Admin Security
entitlement is enabled, authentication to a local account changes when TACACS+ is
configured. If a TACACS+ server is configured and available, then authentication
uses TACACS+ and the Enterprise SBC rejects attempts to
authenticate to local accounts. If a TACACS+ server is configured but unavailable,
the Enterprise SBC allows authentication to local
accounts. This ensures that, when TACACS+ is configured, authentication to local
accounts is only possible when the TACACS+ server is down. If no TACACS+ server is
configured, local accounts are accessible.
Manage Local Accounts
Use the local-accounts command to create,
delete, or modify individual accounts. Use the factory-accounts command to disable or re-enable the default user and admin
accounts.
Create a Local Account
The syntax to add a local account:
local-accounts add <username> <class>
Usernames must start with a lower case letter or an underscore; use only
lower case letters, digits, underscores, or dashes; and not exceed 31 characters.
The two options for <class> are user and
admin.
- Create an account.
To create an account for a user named Jamie:
ORACLE# local-accounts add jamie userTo create an account for an administrator named Jamie:ORACLE# local-accounts add jamie admin - Enter and confirm the password for the new account.
- Save and activate the configuration.
Modify the Password of a Local Account
Local administrator accounts may change the password of any local account, but they may not change the password of the factory default accounts.
local-accounts change-password <username>- Log in as an administrator.
- Use the
local-accountscommand to change the password of a local account.local-accounts change-password jamie - Enter the current password for that local account.
- Enter and confirm a new password for that local account.
The Enterprise SBC saves and activates the configuration.
Reset a Local Account Password
local-accounts reset <username>- Log in as an administrator.
- Reset a user's password by creating a temporary
password.
ORACLE# local-accounts reset jamie - Confirm you want to reset the local account password.
- Enter and confirm the temporary password for that user.
- Communicate the temporary password to that user.
The Enterprise SBC saves and activates the configuration.
The Enterprise SBC will force the user
jamie to choose a new password the next time that user logs
in.
Delete a Local Account
local-accounts delete <username>- Log in as an administrator.
- Delete the
account.
ORACLE# local-accounts delete jamie - Confirm you want to delete the account.
- Save and activate the configuration.
- Delete any saved authorized keys for that
user.
ORACLE# ssh-key authorized-key delete jamie - Use the
show userscommand to display active sessions.ORACLE# show users Index remote-address IdNum duration type state User ------------------------------------------------------------------------------ 2 10.0.0.1:59378 7849 00:01:46 ssh priv * admin 1 10.0.0.1:59373 7842 00:01:57 ssh user jamie 0 127.0.0.1 2701 04:17:39 console user - Kill any active sessions of the old
user.
ORACLE# kill ssh 1 Killing ssh session [1] Successfully killed session [ssh-jamie@10.0.0.1] at index[1]
Viewing Local Accounts
To view the local accounts on the Enterprise SBC, use the show configuration
local-accounts command.
ORACLE# show configuration local-accounts
local-accounts
user-name jamie
user-class user
user-password ******
last-modified-by admin@10.0.0.1
last-modified-date 2020-09-28 17:11:38
ORACLE#
Note:
Thelocal-accounts
argument to the show command must be written out in full.
Disable the Default Accounts
If you have created a second administrator account, you can disable the default user and admin accounts.
- Log in as an administrator.
- Run the
factory-accountscommand.ORACLE# factory-accounts disable - Save and activate the configuration.
Re-enable the Default Accounts
If you have disabled the default user and admin accounts, you can re-enable them.
- Run the
factory-accountscommand.ORACLE# factory-accounts enable - Save and activate the configuration.