User Management

TNSR includes a tnsr user by default. Administrators may create additional users to provide separate workspaces for each user. In this workspace the user may save and load configurations.

Warning

User access is controlled by NACM and the NACM default behavior varies by platform and when the TNSR installation was created. See NETCONF Access Control Model (NACM) for details.

User Configuration

Entering config-auth mode requires a username. When modifying an existing user, the username is available for autocompletion. The command will also accept a new username, which it creates when the configuration is committed. Creating a new user requires providing a means of authentication:

tnsr(config)# auth user <user-name>

A user may be deleted using the no form:

tnsr(config)# no auth user <user-name>

The exit command leaves config-auth mode:

tnsr(config-auth)# exit
tnsr(config)#

When exiting config-auth mode, TNSR commits changes to the user, which will create or update the entry for the user in the host operating system.

Authentication Methods

There are two methods for authenticating users: passwords and user keys.

Password Authentication

The password method takes a password entered in plain text, but stores a hashed version of the password in the configuration:

tnsr(config-auth)# password <plain text password>

Note

The password is hashed by the CLI prior to being passed to the backend. The plain text password is never stored or passed outside the specific CLI instance.

If the configuration is viewed using the show configuration running command, the hashed password will be present.

User Key Authentication

The second method of authentication is by user key. A user key is the same format as created by ssh-keygen.

To add a user key for authentication, use the user-keys command inside config-auth mode:

tnsr(config-auth)# user-keys <key-name>

The user key is read directly from the CLI. After the command is executed by pressing Enter, the CLI will wait for the key to be entered, typically by pasting it into the terminal or by typing. The end of input is indicated by a blank line. The normal CLI features are bypassed during this process.