Local User Authentication¶
Local User Authentication Configuration¶
Entering config-auth
mode requires a username. When modifying an existing
user, the username is available for autocompletion. The command will also accept
a new username, which it creates when the configuration is committed. Creating a
new user requires providing a means of authentication:
tnsr(config)# auth user <user-name>
A user may be deleted using the no
form:
tnsr(config)# no auth user <user-name>
The exit
command leaves config-auth
mode:
tnsr(config-auth)# exit
tnsr(config)#
When exiting config-auth
mode, TNSR commits changes to the user, which will
create or update the entry for the user in the host operating system.
Authentication Methods¶
There are two methods for authenticating users: passwords and user keys.
Password Authentication¶
The password method takes a password entered in plain text, but stores a hashed version of the password in the configuration:
tnsr(config-auth)# password <plain text password>
Note
The password is hashed by the CLI prior to being passed to the backend. The plain text password is never stored or passed outside the specific CLI instance.
Warning
The password may be between 6 and 256 characters in length, though depending on the operating system default password hashing algorithm and key derivation behavior, the practical limit may be lower.
If the configuration is viewed using the show configuration running
command,
the hashed password will be present.
User Key Authentication¶
The second method of authentication is by user key. A user key is the same
format as created by ssh-keygen
.
To add a user key for authentication, use the user-keys
command inside
config-auth
mode:
tnsr(config-auth)# user-keys <key-name>
The user key is read directly from the CLI. After the command is executed by
pressing Enter
, the CLI will wait for the key to be entered, typically by
pasting it into the terminal or by typing. The end of input is indicated by a
blank line. The normal CLI features are bypassed during this process.