Local User Authentication

Local User Authentication Configuration

Entering config-auth mode requires a username. When modifying an existing user, the username is available for autocompletion. The command will also accept a new username, which it creates when the configuration is committed. Creating a new user requires providing a means of authentication:

tnsr(config)# auth user <user-name>

A user may be deleted using the no form:

tnsr(config)# no auth user <user-name>

The exit command leaves config-auth mode:

tnsr(config-auth)# exit

When exiting config-auth mode, TNSR commits changes to the user, which will create or update the entry for the user in the host operating system.

Authentication Methods

There are two methods for authenticating users: passwords and user keys.

Password Authentication

The password method takes a password entered in plain text, but stores a hashed version of the password in the configuration:

tnsr(config-auth)# password <plain text password>


The password is hashed by the CLI prior to being passed to the backend. The plain text password is never stored or passed outside the specific CLI instance.


The password may be between 6 and 256 characters in length, though depending on the operating system default password hashing algorithm and key derivation behavior, the practical limit may be lower.

If the configuration is viewed using the show configuration running command, the hashed password will be present.

User Key Authentication

The second method of authentication is by user key. A user key is the same format as created by ssh-keygen.

To add a user key for authentication, use the user-keys command inside config-auth mode:

tnsr(config-auth)# user-keys <key-name>

The user key is read directly from the CLI. After the command is executed by pressing Enter, the CLI will wait for the key to be entered, typically by pasting it into the terminal or by typing. The end of input is indicated by a blank line. The normal CLI features are bypassed during this process.