1. Configuration Guide
  2. Getting Started
  3. User Accounts

User Accounts

In addition to the two factory accounts user and admin, you may also authenticate using local accounts, RADIUS, or TACACS+.

Named SSH Keys

SSH authorized keys take precedence over other authentication methods and account types. For example, if an administrator imported Alice's SSH key into the admin class, then Alice can authenticate with ssh alice@10.0.0.1 whether or not a local account, TACACS+ account, or RADIUS account exists. Moreover, if a local account, TACACS+ account, or RADIUS account named alice exists in the user class but Alice's SSH authorized-key exists in the admin class, Alice can still authenticate as an administrator because SSH keys take precedence over other authentication methods and account types. Conversely, if Alice's SSH key were imported into the user class but a local account, TACACS+ account, or RADIUS account in the admin class were created for Alice, she would by default log in as an ordinary user and not as an administrator. This happens because SSH clients usually try public key authentication before attempting password-based authentication. To authenticate using password-based authentication when public key authentication is an option, use the -o option: 
ssh -o PubkeyAuthentication=no alice@10.0.0.1

SSH authorized keys also take precedence over the default factory accounts. If you disable the factory accounts but import an SSH key as the admin user, you can still authenticate with ssh admin@10.0.0.1 even when factory accounts are disabled.

When removing a user from a system, remember to remove any named SSH keys.

Local User Accounts

The ESBC comes with two local, factory accounts for access. System administrators may create additional local accounts for each user or administrator who needs to access the ESBC. Local accounts ensure your ability to audit an individual's activity on the ESBC.

When creating local accounts, you must specify the username and the user class. Usernames must be unique, and neither user nor admin may be used.

There are two user classes: user and admin. Local accounts in the user class have the same access level as the factory user account, and local accounts in the admin class have the same access level as the factory admin account.

After a second administrator account has been created, you may disable the factory user and admin accounts. The ESBC requires at least one administrator account. Only administrators may delete accounts, and administrators may not delete their own account. Use the command factory-accounts to disable or re-enable the factory accounts.

The file cli.audit.log records the timestamp, the local account name, the connecting IP address, and the command run by any user or administrator.
2020-10-01 15:35:06.530 TaskID: 0xab7c8710, admin@10.2.2.7 : 'show users'
2020-10-01 15:36:14.112 TaskID: 0xab7c8710, alice@10.2.2.8 : 'show users'

Local Accounts and TACACS+

When the tacacs-authentication-only attribute is enabled in the security configuration element or when the Admin Security entitltement is enabled, authentication to a local account changes when TACACS+ is configured. If a TACACS+ server is configured and available, then authentication uses TACACS+ and the ESBC rejects attempts to authenticate to local accounts. If a TACACS+ server is configured but unavailable, the ESBC allows authentication to local accounts. This ensures that, when TACACS+ is configured, authentication to local accounts is only possible when the TACACS+ server is down. If no TACACS+ server is configured, local accounts are accessible.

Manage Local Accounts

Use the local-accounts command to create, delete, or modify individual accounts. Use the factory-accounts command to disable or re-enable the default user and admin accounts.

Create a Local Account

The syntax to add a local account:

local-accounts add <username> <class>

Usernames must start with a lower case letter or an underscore; use only lower case letters, digits, underscores, or dashes; and not exceed 31 characters. The two options for <class> are user and admin.

  1. Create an account.
    To create an account for a user named Jamie:
    ORACLE# local-accounts add jamie user
    To create an account for an administrator named Jamie:
    ORACLE# local-accounts add jamie admin
  2. Enter and confirm the password for the new account.
  3. Save and activate the configuration.

Modify the Password of a Local Account

Local administrator accounts may change the password of any local account, but they may not change the password of the factory default accounts.

The syntax to change the password of a local account:
local-accounts change-password <username>
  1. Log in as an administrator.
  2. Use the local-accounts command to change the password of a local account.
    local-accounts change-password jamie
  3. Enter the current password for that local account.
  4. Enter and confirm a new password for that local account.

The ESBC saves and activates the configuration.

Reset a Local Account Password

The syntax to reset a local account password:
local-accounts reset <username>
  1. Log in as an administrator.
  2. Reset a user's password by creating a temporary password.
    ORACLE# local-accounts reset jamie
  3. Confirm you want to reset the local account password.
  4. Enter and confirm the temporary password for that user.
  5. Communicate the temporary password to that user.

The ESBC saves and activates the configuration.

The ESBC will force the user jamie to choose a new password the next time that user logs in.

Delete a Local Account

The syntax to delete a local account:
local-accounts delete <username>
  1. Log in as an administrator.
  2. Delete the account.
    ORACLE# local-accounts delete jamie
  3. Confirm you want to delete the account.
  4. Save and activate the configuration.
  5. Delete any saved authorized keys for that user.
    ORACLE# ssh-key authorized-key delete jamie
  6. Use the show users command to display active sessions.
    ORACLE# show users
Index     remote-address    IdNum  duration  type         state        User
------------------------------------------------------------------------------
    2 10.0.0.1:59378        7849  00:01:46      ssh       priv *       admin
    1 10.0.0.1:59373        7842  00:01:57      ssh       user         jamie
    0 127.0.0.1             2701  04:17:39  console       user
  7. Kill any active sessions of the old user.
    ORACLE# kill ssh 1
Killing ssh session [1]
Successfully killed session [ssh-jamie@10.0.0.1] at index[1]

Viewing Local Accounts

To view the local accounts on the ESBC, use the show configuration local-accounts command. 

ORACLE# show configuration local-accounts
local-accounts
        user-name                               jamie
        user-class                              user
        user-password                           ******
        last-modified-by                        admin@10.0.0.1
        last-modified-date                      2020-09-28 17:11:38
ORACLE#

Note:

The local-accounts argument to the show command must be written out in full.

Disable the Default Accounts

If you have created a second administrator account, you can disable the default user and admin accounts.

  1. Log in as an administrator.
  2. Run the factory-accounts command.
    ORACLE# factory-accounts disable
  3. Save and activate the configuration.

Re-enable the Default Accounts

If you have disabled the default user and admin accounts, you can re-enable them.

  1. Run the factory-accounts command.
    ORACLE# factory-accounts enable
  2. Save and activate the configuration.