Local User Authentication¶
Local User Authentication Configuration¶
config-auth mode requires a username. When modifying an existing
user, the username is available for autocompletion. The command will also accept
a new username, which it creates when the configuration is committed. Creating a
new user requires providing a means of authentication:
tnsr(config)# auth user <user-name>
A user may be deleted using the
tnsr(config)# no auth user <user-name>
exit command leaves
config-auth mode, TNSR commits changes to the user, which will
create or update the entry for the user in the host operating system.
There are two methods for authenticating users: passwords and user keys.
The password method takes a password entered in plain text, but stores a hashed version of the password in the configuration:
tnsr(config-auth)# password <plain text password>
The password is hashed by the CLI prior to being passed to the backend. The plain text password is never stored or passed outside the specific CLI instance.
The password may be between 6 and 256 characters in length, though depending on the operating system default password hashing algorithm and key derivation behavior, the practical limit may be lower.
If the configuration is viewed using the
show configuration running command,
the hashed password will be present.
User Key Authentication¶
The second method of authentication is by user key. A user key is the same
format as created by
To add a user key for authentication, use the
user-keys command inside
tnsr(config-auth)# user-keys <key-name>
The user key is read directly from the CLI. After the command is executed by
Enter, the CLI will wait for the key to be entered, typically by
pasting it into the terminal or by typing. The end of input is indicated by a
blank line. The normal CLI features are bypassed during this process.