[no] user user-name
config>system>security
This command creates a local user and a context to edit the user configuration.
If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
When a new user is created and the info command is entered, the system displays a password with hash2 encryption in the output screen. However, when using that username, there is no password required. The user can log in to the system by entering their username and then pressing ↵ at the password prompt.
Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.
The no form of the command deletes the user and all configuration data. Users cannot delete themselves.
n/a
the name of the user, up to 32 characters
user-template {tacplus_default | radius_default}
config>system>security
This command configures default security user template parameters.
specifies that the TACACS+ default template is used for the configuration
specifies that the RADIUS default template is used for the configuration
[no] access [ftp] [snmp] [console]
[no] access [ftp] [console]
config>system>security>user
config>system>security>user-template
This command grants a user permission for FTP, SNMP, or console access.
If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated sequentially.
The no form of the command removes access for a specific application.
The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied; for example, no access ftp denies FTP access.
no access
specifies FTP permission
specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.
specifies console access (serial port or Telnet) permission
console
config>system>security>user
config>system>security>user-template
This command enables the context to configure user profile membership for the console.
[no] cannot-change-password
config>system>security>user>console
This command allows a user to change their password for both FTP and console login.
To disable a user’s privilege to change their password, use the cannot-change-password form of the command.
The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.
no cannot-change-password
[no] login-exec url-prefix:source-url
config>system>security>user>console
config>system>security>user-template>console
This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of the command disables the login exec file for the user.
no login exec file is defined
enter either a local or remote URL, up to 200 characters in length, that identifies the exec file that is executed after the user successfully logs in
member user-profile-name [user-profile-name…]
no member user-profile-name
config>system>security>user>console
This command allows the user access to a profile.
A user can participate in up to eight profiles.
The no form of this command deletes access user access to a profile.
default
the user profile name
[no] new-password-at-login
config>system>security>user>console
This command forces the user to change passwords at the next console or FTP login.
If the user is limited to FTP access, the administrator must create the new password.
The no form of the command does not force the user to change passwords.
no new-password-at-login
home-directory url-prefix [directory] [directory/directory…]
no home-directory
config>system>security>user
config>system>security>user-template
This command configures the local home directory for the user for both console and FTP access.
If the URL or the specified URL/directory structure is not present, then a warning message is issued and the default is assumed.
The no form of the command removes the configured home directory.
no home-directory
If restricted-to-home has been configured, no file access is granted and no home directory is created; if restricted-to-home is not applied, root becomes the user’s home directory.
the user’s local home directory URL prefix and directory structure, up to 190 characters in length
password [password]
config>system>security>user
This command configures the user password for console and FTP access.
Passwords must be enclosed in double quotes (‟ ”) at the time of password creation if they contain any special characters (such as #, $, or spaces). The double quote character (‟) is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.
The question mark character (?) cannot be directly inserted as input during a Telnet connection because the character is bound to the help command during a normal Telnet/console connection. To insert # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied (return key).
The password is stored in an encrypted format in the configuration file when specified.
the password that must be entered by this user during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length is as follows:
56 characters if in unhashed plaintext
The unhashed plaintext form must meet all the requirements that are defined within the complexity-rules command context.
60 characters if hashed with bcrypt
from 87 to 92 characters if hashed with PBKDF2 SHA-2
from 131 to 136 characters if hashed with PBKDF2 SHA-3
public-keys
config>system>security>user
This command enables the context to configure public keys for SSH.
ecdsa
config>system>security>user>public-keys
This command enables the context to configure ECDSA public keys.
ecdsa-key key-id [create]
no ecdsa-key key-id
config>system>security>user>public-keys>ecdsa
This command creates an ECDSA public key and associates it with the specified user. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
n/a
the key identifier
keyword required when first creating the ECDSA key. When the key is created, you can navigate into the context without the create keyword.
key-value public-key-value
no key-value
config>system>security>user>public-keys>ecdsa>ecdsa-key
config>system>security>user>public-keys>rsa>rsa-key
This command configures a value for the ECDSA or RSA public key. The public key must be enclosed in quotation marks. For ECDSA, the key is between 1 and 1024 bits. For RSA, the key is between 768 and 4096 bits.
no key-value
the value for the ECDSA or RSA key
rsa
config>system>security>user>public-keys
This command enables the context to configure RSA public keys.
rsa-key key-id [create]
no rsa-key key-id
config>system>security>user>public-keys>rsa
This command creates an RSA public key and associates it with the specified user. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
the key identifier
keyword required when first creating the RSA key. When the key is created, you can navigate into the context without the create keyword.
[no] restricted-to-home
config>system>security>user
config>system>security>user-template
This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.
If a home directory is not configured or the home directory is not available, then the user has no file access.
The no form of the command allows the user access to navigate to directories above their home directory.
no restricted-to-home
snmp
config>system>security>user
This command enables the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.
All SNMPv3 users must be configured with the commands available in this CLI context.
The 7705 SAR always uses the configured SNMPv3 username as the security username.
authentication none
authentication authentication-protocol authentication-key [privacy none] [hash | hash2]
authentication authentication-protocol authentication-key privacy privacy-protocol privacy-key [hash | hash2]
no authentication
config>system>security>user>snmp
This command configures the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.
The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the generate-key command under the tools>perform>system>management-interface >snmp context to generate localized authentication and privacy keys. See the 7705 SAR OAM and Diagnostics Guide, ‟Tools Perform Commands” for information about this command.
If authentication none is configured, only the username is required to allow and authenticate SNMPv3 operations.
The no form of the command prevents the username used to configure the command from getting recognized by SNMP, and the same user cannot be used for any SNMP operations.
authentication none — no authentication protocol is configured and privacy cannot be configured
specifies that no authentication protocol is used
specifies the SNMPv3 authentication protocol and localized authentication key
specifies the SNMPv3 privacy protocol and localized privacy key
specifies that a privacy protocol is not used in the communication
specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
group group-name
no group
config>system>security>user>snmp
This command associates (or links) a user to a group name. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.
no group name is associated with a user
enter the group name (between 1 and 32 alphanumeric characters) that is associated with this user. A user can be associated with one group name per security model.