Различия

Показаны различия между двумя версиями страницы.

--- vyos:off-wiki:latest:configuration:system:login [2025/03/11 20:11] – создано - внешнее изменение 127.0.0.1
+++ vyos:off-wiki:latest:configuration:system:login [Дата неизвестна] (текущий) – удалено - внешнее изменение (Дата неизвестна) 127.0.0.1
@@ Строка 1: / Строка 1: @@
-  *
-  * Configuration Guide
-  * System
-  * Login/User Management
-  * View page source
-====== Login/User Management ======
-The default VyOS user account ( vyos ), as well as newly created user accounts,
-have all capabilities to configure the system. All accounts have sudo
-capabilities and therefore can operate as root on the system.
-Both local administered and remote administered RADIUS accounts are supported.
-===== Local =====
-[[login|login.html]]
-Create new system user with username <name> and real-name specified by <string> .
-[[login|login.html]]
-Specify the plaintext password user by user <name> on this system. The
-plaintext password will be automatically transferred into a secure hashed
-password and not saved anywhere in plaintext.
-[[login|login.html]]
-Setup encrypted password for given username. This is useful for
-transferring a hashed password from system to system.
-[[login|login.html]]
-Disable (lock) account. User will not be able to log in.
-==== Key Based Authentication ====
-It is highly recommended to use SSH key authentication. By default there is
-only one user ( vyos ), and you can assign any number of keys to that user.
-You can generate a ssh key with the ssh-keygen command on your local
-machine, which will (by default) save it as ~/.ssh/id_rsa.pub .
-Every SSH key comes in three parts:
-Only the type ( ssh-rsa ) and the key ( AAAB3N... ) are used. Note that the
-key will usually be several hundred characters long, and you will need to copy
-and paste it. Some terminal emulators may accidentally split this over several
-lines. Be attentive when you paste it that it only pastes as a single line.
-The third part is simply an identifier, and is for your own reference.
-See also
-SSH [[service:ssh|Operation]]
-[[login|login.html]]
-Assign the SSH public key portion <key> identified by per-key <identifier> to the local user <username> .
-[[login|login.html]]
-Every SSH public key portion referenced by <identifier> requires the
-configuration of the <type> of public-key used. This type can be any of:
-  * ecdsa-sha2-nistp256
-  * ecdsa-sha2-nistp384
-  * ecdsa-sha2-nistp521
-  * ssh-dss
-  * ssh-ed25519
-  * ssh-rsa
-Note
-You can assign multiple keys to the same user by using a unique
-identifier per SSH key.
-[[login|login.html]]
-Set the options for this public key. See the ssh authorized_keys man
-page for details of what you can specify here. To place a " character in the options field, use &quot; , for example from=&quot;10.0.0.0/24&quot; to restrict where the user
-may connect from when using this key.
-==== MFA/2FA authentication using OTP (one time passwords) ====
-It is possible to enhance authentication security by using the 2FA / MFA feature
-together with OTP on VyOS. 2FA / MFA is configured
-independently per each user. If an OTP key is configured for a user, 2FA/MFA
-is automatically enabled for that particular user. If a user does not have an
-OTP key configured, there is no 2FA/MFA check for that user.
-[[login|login.html]]
-Enable OTP 2FA for user username with default settings, using the BASE32
-encoded 2FA/MFA key specified by <key> .
-=== Optional/default settings ===
-[[login|login.html]]
-default: 3
-Limit logins to <limit> per every rate-time seconds. Rate limit
-must be between 1 and 10 attempts.
-[[login|login.html]]
-default: 30
-Limit logins to rate-limit attemps per every <seconds> . Rate time must
-be between 15 and 600 seconds.
-[[login|login.html]]
-default: 3
-Set window of concurrently valid codes.
-By default, a new token is generated every 30 seconds by the mobile
-application. In order to compensate for possible time-skew between
-the client and the server, an extra token before and after the current
-time is allowed. This allows for a time skew of up to 30 seconds
-between authentication server and client.
-For example, if problems with poor time synchronization are experienced,
-the window can be increased from its default size of 3 permitted codes
-(one previous code, the current code, the next code) to 17 permitted codes
-(the 8 previous codes, the current code, and the 8 next codes). This will
-permit for a time skew of up to 4 minutes between client and server.
-The window size must be between 1 and 21.
-=== OTP-key generation ===
-The following command can be used to generate the OTP key as well
-as the CLI commands to configure them:
-[[login|login.html]]
-An example of key generation:
-<code>
-vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5
-# You can share it with the user, he just needs to scan the QR in his OTP app
-# username:  otptester
-# OTP KEY:  J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
-# OTP URL:  otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-████ ▄▄▄▄▄ █▀█ █▄   ▀▄▀▄█▀▄  ▀█▀ █ ▄▄▄▄▄ ████
-████ █   █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀  ▄█ █   █ ████
-████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
-████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
-████ ▄   █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄  █ █▄█ █████
-████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█  ████
-█████▄  ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄   ▄████
-████▀▀▄   ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄  ▀█ █  ████
-████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄  ▄ ▄▀ █▄████
-████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄   ▄▄ ████
-████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
-████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █  ▀▄▄  ▄█▀ ▄▄   ▀▄▄ ████
-████  ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄  ▄████
-████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀  ███▄ ▄████
-████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
-████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█  ████
-████ █   █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄  ▀ ▄    ▄ ▄▄████
-████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
-████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-# To add this OTP key to configuration, run the following commands:
-set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
-set system login user otptester authentication otp rate-limit '2'
-set system login user otptester authentication otp rate-time '20'
-set system login user otptester authentication otp window-size '5'
-</code>
-=== Display OTP key for user ===
-To display the configured OTP user key, use the command:
-[[login|login.html]]
-An example:
-<code>
-vyos@vyos:~$ sh system login authentication user otptester otp full
-# You can share it with the user, he just needs to scan the QR in his OTP app
-# username: otptester
-# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
-# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-████ ▄▄▄▄▄ █▀█ █▄   ▀▄▀▄█▀▄  ▀█▀ █ ▄▄▄▄▄ ████
-████ █   █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀  ▄█ █   █ ████
-████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
-████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
-████ ▄   █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄  █ █▄█ █████
-████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█  ████
-█████▄  ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄   ▄████
-████▀▀▄   ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄  ▀█ █  ████
-████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄  ▄ ▄▀ █▄████
-████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄   ▄▄ ████
-████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
-████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █  ▀▄▄  ▄█▀ ▄▄   ▀▄▄ ████
-████  ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄  ▄████
-████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀  ███▄ ▄████
-████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
-████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█  ████
-████ █   █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄  ▀ ▄    ▄ ▄▄████
-████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
-████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-# To add this OTP key to configuration, run the following commands:
-set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
-set system login user otptester authentication otp rate-limit '2'
-set system login user otptester authentication otp rate-time '20'
-set system login user otptester authentication otp window-size '5'
-</code>
-Once a user has 2FA/OTP configured against their account, they must login
-using their password with the OTP code appended to it.
-For example: If the users password is vyosrocks and the OTP code is 817454
-then they would enter their password as vyosrocks817454
-===== RADIUS =====
-In large deployments it is not reasonable to configure each user individually
-on every system. VyOS supports using RADIUS servers as backend for user authentication.
-==== Configuration ====
-[[login|login.html]]
-Specify the IP <address> of the RADIUS server user with the pre-shared-secret
-given in <secret> .
-Multiple servers can be specified.
-[[login|login.html]]
-Configure the discrete port under which the RADIUS server can be reached.
-This defaults to 1812.
-[[login|login.html]]
-Temporary disable this RADIUS server. It won’t be queried.
-[[login|login.html]]
-Setup the <timeout> in seconds when querying the RADIUS server.
-[[login|login.html]]
-RADIUS servers could be hardened by only allowing certain IP addresses to
-connect. As of this the source address of each RADIUS query can be
-configured.
-If unset, incoming connections to the RADIUS server will use the nearest
-interface address pointing towards the server - making it error prone on
-e.g. OSPF networks when a link fails and a backup route is taken.
-[[login|login.html]]
-Source all connections to the RADIUS servers from given VRF <name> .
-==== Configuration Example ====
-<code>
-set system login radius server 192.168.0.2 key 'test-vyos'
-set system login radius server 192.168.0.2 port '1812'
-set system login radius server 192.168.0.2 timeout '5'
-set system login radius source-address '192.168.0.1'
- If there is no communication between VyOS and RADIUS server users can
- authenticate from local user accounts. During authentication from the local
- accounts users can observe some timeouts. Timeout in seconds depends on
- the configured timeout option.
-</code>
-Hint
-If you want to have admin users to authenticate via RADIUS it is
-essential to sent the attribute. Without
-the attribute you will only get regular, non privilegued, system users.
-===== TACACS+ =====
-In addition to RADIUS , TACACS can also be
-found in large deployments.
-TACACS is defined in [[doc:html:rfc8907|RFC 8907]] .
-==== Configuration ====
-[[login|login.html]]
-Specify the IP <address> of the TACACS server user with the pre-shared-secret
-given in <secret> .
-Multiple servers can be specified.
-[[login|login.html]]
-Configure the discrete port under which the TACACS server can be reached.
-This defaults to 49.
-[[login|login.html]]
-Temporary disable this TACACS server. It won’t be queried.
-[[login|login.html]]
-Setup the <timeout> in seconds when querying the TACACS server.
-[[login|login.html]]
-TACACS servers could be hardened by only allowing certain IP addresses to
-connect. As of this the source address of each TACACS query can be
-configured.
-If unset, incoming connections to the TACACS server will use the nearest
-interface address pointing towards the server - making it error prone on
-e.g. OSPF networks when a link fails and a backup route is taken.
-[[login|login.html]]
-Source all connections to the TACACS servers from given VRF <name> .
-==== Configuration Example ====
-<code>
-set system login tacacs server 192.168.0.2 key 'test-vyos'
-set system login tacacs server 192.168.0.2 port '49'
-set system login tacacs source-address '192.168.0.1'
- If there is no communication between VyOS and TACACS server users can
- authenticate from local user accounts.
-</code>
-===== Login Banner =====
-You are able to set post-login or pre-login banner messages to display certain
-information for this system.
-[[login|login.html]]
-Configure <message> which is shown during SSH connect and before a user is
-logged in.
-[[login|login.html]]
-Configure <message> which is shown after user has logged in to the system.
-Note
-To create a new line in your login message you need to escape the new
-line character by using \\n .
-===== Limits =====
-Login limits
-[[login|login.html]]
-Set a limit on the maximum number of concurrent logged-in users on
-the system.
-This option must be used with timeout option.
-[[login|login.html]]
-Configure session timeout after which the user will be logged out.
-===== Example =====
-In the following example, both User1 and User2 will be able to SSH into
-VyOS as user vyos using their very own keys. User1 is restricted to only
-be able to connect from a single IP address. In addition if password base login
-is wanted for the vyos user a 2FA/MFA keycode is required in addition to
-the password.
-<code>
-set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
-set system login user vyos authentication public-keys 'User1' type ssh-rsa
-set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
-set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
-set system login user vyos authentication public-keys 'User2' type ssh-rsa
-set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
-set system login user vyos authentication plaintext-password vyos
-</code>
-==== TACACS Example ====
-We use a vontainer providing the TACACS serve rin this example.
-Load the container image in op-mode.
-<code>
-add container image lfkeitel/tacacs_plus:latest
-</code>
-<code>
-set container network tac-test prefix '100.64.0.0/24'
-set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
-set container name tacacs1 network tac-test address '100.64.0.11'
-set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
-set container name tacacs2 network tac-test address '100.64.0.12'
-set system login tacacs server 100.64.0.11 key 'tac_plus_key'
-set system login tacacs server 100.64.0.12 key 'tac_plus_key'
-commit
-</code>
-You can now SSH into your system using admin/admin as a default user supplied
-from the lfkeitel/tacacs_plus:latest container.