Configuring Users Accounts and Setting Credentials
NetVisor OS provides a pre-created user account called network-admin with all access privileges set. However, other user accounts can be created by specifying only the required privileges. For these users, usernames and passwords can be managed locally on each network node, or globally on all nodes of the fabric.
For local authentication, the user attributes are defined and stored locally on each switch. In the case of fabric-wide authentication, the attributes are stored on every switch of the fabric. For example, the network-admin user (which is the default user) created by NetVisor OS is a fabric-scoped user and the attributes are stored on all switches in the fabric.
You can create new roles and new users with specified roles on a local switch or on all nodes of a fabric.
To create a new user and apply a new role on a local switch, use the command:
CLI (network-admin@switch) > user-create name name-string scope local
name name-string |
Enter a name for the new user that you are configuring. |
scope local|fabric |
Specify if the scope is local or fabric. |
Specify any of the following options: |
|
initial-role role name |
Specify the initial role for the new user. |
login-fail-count login-fail-count-number |
This option enables you to customize a user with a pre-allowed limit for authorization failures. When the user exceeds the maximum allowed or configured number of authentication failures, then NetVisor automatically locks the user account. The default value for this option is zero (0), which means the account does not get locked out. This parameter is added in NetVisor OS version 6.1.1. |
lock-account|no-lock-account |
The lock-account option is used to manually lock any user account (that is purportedly misbehaving with the system privileges). This can be done only by the network-admin account. Being the super-user for NetVisor, the network-admin account cannot be locked out. Likewise, any user account that is in locked state can be un-locked only by network-admin using the no-lock-account option in the command. This parameter is added in NetVisor OS version 6.1.1. |
minimum-pw-length 6..65 |
Specify a minimum password length for user accounts. The password length should be in the range of 6-65 characters. The default value is 6 characters. An error is displayed if the configured minimum-pw-length is not honored. This parameter is added in NetVisor OS version 6.1.0 as per Common Criteria compliance. |
Note: The effectiveness of a selected login-fail-count value is dependent on the client and server configuration. For example, if you have N as NumberOfPasswordPrompts for ssh client and N+1 as MaxAuthTries for ssh server, then setting login-fail-count of N will lock the user account when N failed attempts are made with non-empty passwords.
Note: If the default value of zero (0) is configured for login-fail-count, then the user account does not get locked even after multiple failed authentications as the failed authentication limit error check is invalid (scenario prior to NetVisor OS 6.1.0).
Additionally, you can also configure the minimum-pw-length parameter for SFTP service by using the admin-sftp-modify command. For example,
CLI (network-admin@switch) > admin-sftp-modify enable minimum-pw-length 10
sftp password:
confirm sftp password:
password length matched..!
CLI (network-admin@switch) >
To delete an existing user, use the command:
CLI (network-admin@switch) > user-delete name name-string
To modify an existing user, use the command:
CLI (network-admin@switch) > user-modify name name-string
name name-string |
Enter the username. |
Specify any of the following options: |
|
password password-string |
Enter the plain text password. You must enter the password characters based on the limit set for the minimum-pw-length parameter. |
login-fail-count login-fail-count-number |
Specify the allowed limit for authorization failures before locking the user account. For more details, see the user-create table above. |
lock-account|no-lock-account |
Specify to lock a user account upon reaching maximum login errors. For more details, see the user-create table above. |
minimum-pw-length 6..65 |
Specify a minimum password length for user accounts. The password length should be in the range of 6-65 characters. The default value is 6 characters. For more details, see the user-create table above. |
Note: The details of all changes are added to the session logs file and you can view the details using the log-session-show command. A sample configuration output is provided below as a reference:
CLI (network-admin@ara01) > log-session-show
To view the configuration details, use the command:
CLI (network-admin@switch) > user-show name name-string
Specify any of the following options: |
|
name name-string |
Enter the username for which you want to view the details. |
[ scope local|fabric ] |
Specify to view user account details on either a local switch or on all switches in the fabric. |
[ uid uid-number ] |
Enter the user ID of the account. |
[ type netvisor|unix |tacacs|web-token|mfg ] |
Enter the user type to view any specific type of account. |
[ server aaa-tacacs name ] |
Enter the TACACS server name to view only those details. |
login-fail-count login-fail-count-number |
Enter the allowed limit for authorization failures before locking the user account. For more details, see the user-create table above. |
lock-account|no-lock-account |
Specify to view the locked/unlocked account details. For more details, see the user-create table above. |
minimum-pw-length 6..65 |
Specify to view the minimum password length for user accounts. For more details, see the user-create table above. |
Note: As in all the show commands, use the formatting options to display the details as desired.
Further, here is an example configuration to explain the security aspects of different user accounts:
- Create a user account on a local switch using the command:
CLI (network-admin@switch) > user-create name example1 scope local
- Modify the account specifying:
CLI (network-admin@switch) > user-modify name example1 no-lock-account
- Verify the configuration:
CLI (network-admin@switch) > user-show
name scope uid type login-fail-count lock-account minimum-pw-length
------------- ------ ----- -------- ---------------- ------------ -----------------
network-admin fabric 39999 netvisor 0 false 6
example1 local 40000 netvisor 0 false 6
Note: The minimum-pw-length field is displayed only for network-admin accounts.
- Now, modify the configuration to lock the user account after 3 failed attempts and also set other parameters:
CLI (network-admin@switch) > user-modify name example1 login-fail-count 3 lock-account minimum-pw-length 9
This command prompts the user to enter a new password that meets minimum-pw-length specified.
CLI (network-admin@switch) > user-show
name scope uid type login-fail-count lock-account minimum-pw-length
------------- ------ ----- -------- ---------------- ------------ -----------------
network-admin fabric 39999 netvisor 0 false 6
example1 local 40000 netvisor 3 true 9
- Additionally, you can also configure minimum-pw-length after enabling SFTP:
CLI (network-admin@switch) > admin-sftp-modify minimum-pw-length 9 enable
sftp password:
confirm sftp password:
CLI (network-admin@switch) > admin-sftp-show
switch: switch
sftp-user: sftp
enable: yes
General Guidelines
Following are the guidelines to keep in mind while configuring new user accounts:
- To setup a system to be ready for Common Criteria conformance test with regard to SSH, the scripts /usr/bin/setup-cc-ssh-config.ksh should be executed on target switch. And the script /usr/bin/setup-cc-ssh-keygen.ksh should be run from the client system.
- If a user account gets locked out by NetVisor OS due to authentication failure, then SSH sessions are disabled until a network-admin user (with full privileges) unlocks the account.
- If all accounts get locked out without access to SSH sessions, then only the network-admin account user can log in using local or management console (telnet) because the network-admin user is a pre-created account by NetVisor OS and cannot be locked out.
- You can use either the CLI or the RESTful API to configure the user authentication parameters.
- Other applications such as UNUM that uses NetVisor OS’s authentication mechanism currently reflects the configuration changes.