User Accounts
In addition to the two factory accounts user and admin, you may also authenticate using local accounts, RADIUS, or TACACS+.
Local User Accounts
The ESBC comes with two local, factory accounts for access. System administrators may create additional local accounts for each user or administrator who needs to access the ESBC. Local accounts ensure your ability to audit an individual's activity on the ESBC.
When creating local accounts, you must specify the username and the user
class. Usernames must be unique, and neither user
nor
admin
may be used.
There are two user classes: user
and admin
.
Local accounts in the user class have the same access level as the factory user account,
and local accounts in the admin class have the same access level as the factory admin
account.
After a second administrator account has been created, you may disable the
factory user and admin accounts. The ESBC
requires at least one administrator account. Only administrators may delete accounts,
and administrators may not delete their own account. Use the command factory-accounts
to disable or re-enable the factory
accounts.
cli.audit.log
records the timestamp, the local
account name, the connecting IP address, and the command run by any user or
administrator.2020-10-01 15:35:06.530 TaskID: 0xab7c8710, admin@10.2.2.7 : 'show users'
2020-10-01 15:36:14.112 TaskID: 0xab7c8710, alice@10.2.2.8 : 'show users'
Local Accounts and TACACS+
When the tacacs-authentication-only
attribute is enabled
in the security
configuration element or when the Admin Security
entitltement is enabled, authentication to a local account changes when TACACS+ is
configured. If a TACACS+ server is configured and available, then authentication
uses TACACS+ and the ESBC rejects attempts to
authenticate to local accounts. If a TACACS+ server is configured but unavailable,
the ESBC allows authentication to local
accounts. This ensures that, when TACACS+ is configured, authentication to local
accounts is only possible when the TACACS+ server is down. If no TACACS+ server is
configured, local accounts are accessible.
Local Accounts and SSH Keys
SSH authorized keys take precedence over local accounts. For example, if
an administrator imported Alice's SSH key into the admin class, then Alice can
authenticate with ssh alice@10.0.0.1
whether or not a local account
exists. Moreover, if a local account named alice
exists in the user
class but an SSH authorized-key exists in the admin class, Alice can still
authenticate as an administrator because SSH keys take precedence over local
accounts. Conversely, if Alice's SSH key were imported into the user class but a
local account in the admin class were created for Alice, she would by default log in
as an ordinary user and not as an administrator. This happens because SSH clients
usually try public key authentication before attempting password-based
authentication. To authenticate using password-based authentication when public key
authentication is an option, use the -o
option: ssh -o
PubkeyAuthentication=no alice@10.0.0.1
.
When deleting an account, it is important to remember to delete any unused SSH keys for that user or administrator.
Manage Local Accounts
Use the local-accounts
command to create,
delete, or modify individual accounts. Use the factory-accounts
command to disable or re-enable the default user and admin
accounts.
Create a Local Account
local-accounts add <username> <class>
The
two options for <class>
are user
and
admin
.
- Create an account.
To create an account for a user named Jamie:
ORACLE# local-accounts add jamie user
To create an account for an administrator named Jamie:ORACLE# local-accounts add jamie admin
Note:
Usernames are case sensitive. - Enter and confirm the password for the new account.
- Save and activate the configuration.
Modify the Password of a Local Account
Administrators may change their own password.
local-accounts change-password <username>
- Log in to your local administrator account.
- Use the
local-accounts
command to change your password.local-accounts change-password jamie
- Enter your current password.
- Enter and confirm your new password.
The ESBC saves and activates the configuration after a password change.
Delete a Local Account
local-accounts delete <username>
- Log in as an administrator.
- Delete the
account.
ORACLE# local-accounts delete jamie
- Confirm you want to delete the account.
- Save and activate the configuration.
- Delete any saved authorized keys for that
user.
ORACLE# ssh-key authorized-key delete jamie
- Use the
show users
command to display active sessions.ORACLE# show users Index remote-address IdNum duration type state User ------------------------------------------------------------------------------ 2 10.0.0.1:59378 7849 00:01:46 ssh priv * admin 1 10.0.0.1:59373 7842 00:01:57 ssh user jamie 0 127.0.0.1 2701 04:17:39 console user
- Kill any active sessions of the old
user.
ORACLE# kill ssh 1 Killing ssh session [1] Successfully killed session [ssh-jamie@10.196.0.137] at index[1]
Viewing Local Accounts
To view the local accounts on the ESBC, use the show configuration
local-accounts
command.
ORACLE# show configuration local-accounts
local-accounts
user-name jamie
user-class user
user-password ******
last-modified-by admin@10.0.0.1
last-modified-date 2020-09-28 17:11:38
ORACLE#
Note:
Thelocal-accounts
argument to the show command must be written out in full.
Disable the Default Accounts
If you have created a second administrator account, you can disable the default user and admin accounts.
- Log in as an administrator.
- Run the
factory-accounts
command.ORACLE# factory-accounts disable
- Save and activate the configuration.
Re-enable the Default Accounts
If you have disabled the default user and admin accounts, you can re-enable them.
- Run the
factory-accounts
command.ORACLE# factory-accounts enable
- Save and activate the configuration.