1.4.1. Users

Overview

Two user roles are available:

  • viewer for use in operational mode where the configuration cannot be changed, only commands to troubleshoot or monitor are available.

    This is the default role for new users.

  • admin for use in configuration mode, with full access.

Three user accounts are provided by default:

Account

Default password

Description

admin

admin

The standard account for configuration. It has the admin role.

viewer

viewer

A restricted account for monitoring purposes. It has the viewer role.

root

6windos

Provides the ability to log into the Linux subsystem as superuser. Note that any configuration or customization of the 6WINDGate in this mode is out of the support scope, may break the system, and will be lost after an update.

Warning

For security reasons, it is recommended to change the default passwords of preconfigured users. See Changing Passwords.

Changing Passwords

CLI users

To change the admin user password, go in the system auth user admin context:

vsr running config# system auth user admin
vsr running user admin#! role admin
vsr running user admin# password
Enter value for password> **********
vsr running user admin# commit
Configuration applied.

For security reasons, the password is not stored in clear-text in the configuration. A hash is stored instead.

vsr running user admin# show config
user admin
    role admin
    password $5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/

It is also possible to directly set the password as a hashed value. To generate a hashed password on a Linux machine, use mkpasswd, which is provided in the whois package:

root@host:~# mkpasswd -m SHA-256
Password: **********
$5$Ndx/QlMS5Anp7LTq$Lws2OmAm0SO.cBmPBGtdpwnfdAM4hDM4AdSO4ncXjS/

root user

Changing the password for the root user is done through the Linux shell:

root@vsr:~# passwd
Enter new UNIX password: ********
Retype new UNIX password: ********
passwd: password updated successfully

Creating Users

To create a new user, go into the config system auth context, and add a new user with the following commands:

vsr running user admin# ..
vsr running auth# user john
vsr running user john# role admin
vsr running user john# password
Enter value for password> **********
vsr running user john# commit
Configuration applied.

Let’s display what has been sent to the NETCONF server:

vsr running user john# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <auth xmlns="urn:6wind:vrouter/system/auth">
      <user>
        <name>john</name>
        <role>admin</role>
        <password>$5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9</password>
      </user>
    </auth>
  </system>
</config>

Now that the configuration is applied, let’s see the state of our user:

vsr running user john# show state
user john
    password $5$iqsVCbCmIYRF.Sht$lCwP.HDLxtTnzz33uXX7ZdTR6xdSdnUoabRMxHYXjI9
    role admin
    ..

The user john has the admin role. This means he can edit the configuration, read protected nodes (such as passwords) and run privileged commands.

Configuring SSH Authorized Keys

SSH authentication can be used to login to 6WINDGate without a password.

This requires to configure one or more authorized-key.

Generating a key pair

First, you need to generate a key pair on a remote machine.

user@my-laptop:~$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/user/.ssh/id_ecdsa.
Your public key has been saved in /home/user/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:UrMHdqPxmoeV8DNYRtL0Il5cWAFfzZn7PHy4j2enH5A robobuild@ubuntu1604es
The key's randomart image is:
+---[ECDSA 256]---+
|        .o+++..oo|
|         +o+ . oo|
|        O O o   .|
|       + ^ +  .. |
|      . S O  E.o.|
|       . * o  oo+|
|        + .    oo|
|         .    ..=|
|              o*+|
+----[SHA256]-----+

Configuring an authorized-key for CLI users

Copy the public key file contents into the configuration:

user@my-laptop:~$ cat ~/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop

vsr running user john# authorized-key "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop"
vsr running user john# commit
Configuration applied.

Warning

NEVER copy the private key contents. Only the PUBLIC key.

Configuring an authorized-key for root user

This is done from the Linux shell. Copy the public key file contents into the /root/.ssh/authorized_keys file:

user@my-laptop:~$ cat ~/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop

root@vsr:~# cat >> /root/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2hK42JHtTYU1XRw2Zu4xCriM7CIXBl19p1/1qkapobkS6yCnwauqTEveBw1GOjwuTADvqQVozBoaLbY3KGmsI= user@my-laptop
<Ctrl+D>
root@vsr:~# chmod 600 /root/.ssh/authorized_keys

Checking the connection

After which you may check that the remote authentication works without a password:

user@my-laptop:~$ ssh -i ~/.ssh/id_ecdsa john@vsr
The authenticity of host 'vsr (10.0.0.58)' can't be established.
ECDSA key fingerprint is SHA256:nNerPB16BKwHmcex5IVKS7YMVt4VuaVavH3LId7uI6Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vsr,10.0.0.58' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/user/.ssh/id_ecdsa': ********
Welcome to No Product - 6WIND Router Version 5.6.7

vsr>

Note

If you did set a passphrase on your private key, you will need to enter it.

See also

The command reference for details.

Monitoring user login events

There are two ways to monitor the users login events in 6WINDGate.

Using logs

The authpriv log facility contains the logs about failed and successful logins and logouts. The following logs show a failed login by the admin user using ssh, then a successful one, and a logout.

vsr> show log facility authpriv
Dec 06 18:07:50 ubuntu2004 sshd[59303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=admin
Dec 06 18:07:59 ubuntu2004 sshd[59303]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Dec 06 18:08:09 ubuntu2004 sshd[59303]: pam_unix(sshd:session): session closed for user admin

Using show logins

The show logins rpc displays the same information as the logs, but with filters.

The following command shows the last three login events for the admin user, limited to the events since 2022-12-06 18:07:52.

ubuntu2004> show logins max-lines 3 user admin since "2022-12-06 18:07:52"
user                 source           session start        session end          status
==================== ================ ==================== ==================== ========
admin                192.168.1.1      2022-12-06 18:10:38  still logged in      success
admin                192.168.1.1      2022-12-06 18:07:59  2022-12-06 18:08:09  success
admin                192.168.1.1      2022-12-06 18:07:52  2022-12-06 18:07:52  failure

See also

The command reference for details.