user

Syntax

user <USERNAME> group {administrators | operators} password 
     [ciphertext <CIPHERTEXT-PASSWORD> | plaintext <PLAINTEXT-PASSWORD>]

no user <USERNAME>

Description

Creates a user and adds the user to one of the user groups. Users are given the privilege level of their group. When entered without either optional ciphertext or plaintext parameters, the cleartext password is prompted for twice, with the characters entered masked with "*" symbols.

The no form of this command removes a user account from the switch. The administrator cannot delete the user account from which they are logged in.

Command context

config

Parameters

<USERNAME>

Specifies the user name. Requirements:

  • Must start with a lowercase letter.

  • Can contain numbers and lowercase letters.

  • Can include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).

  • Can have a maximum of 32 characters.

  • Cannot be empty.

  • Cannot contain uppercase letters.

  • Cannot be: admin, root, or remote_user.

  • Cannot be Linux reserved names such as:

    daemon, bin, sys, sync, proxy, www-data, backup, list, irc, gnats, nobody, systemd-bus-proxy, sshd, messagebus, rpc, systemd-journal-gateway, systemd-journal-remote, systemd-journal-upload, systemd-timesync, systemd-coredump, systemd-resolve, rpcuser, vagrant, opsd, rdanet, _lldpd, rdaadmin, rdaweb

group {administrators | operators}

Selects the group to which the new user will be assigned.

ciphertext <CIPHERTEXT-PASSWORD>
Specifies a ciphertext password. No password prompts are provided and the ciphertext password is validated before the configuration is applied for the user. The variable <CIPHERTEXT-PASSWORD> is Base64 and is typically copied from another switch using the show running-config command output and then pasted into this command.
NOTE: The administrator cannot construct ciphertext passwords themselves. The ciphertext is only created by an ArubaOS-CX switch. The ciphertext is created by setting a password for a user with the user command. The ciphertext is available for copying from the show running-config output and pasting into the configuration on any other ArubaOS-CX switch. The target switch must have the same export password (default or otherwise) as the source switch.
plaintext <PLAINTEXT-PASSWORD>

Specifies the password without prompting. The password is visible as cleartext when entered but is encrypted thereafter. Note that command history does show the password as cleartext.

Authority

Administrators

Usage

When a user account is removed, the user loses all active login/SSH sessions. Any calls on the existing REST session with that local user account fail with a permissions issue as soon as the user is deleted. Soon afterwards, the existing REST sessions with the deleted user account become invalidated. If a user is viewing the GUI while their account is deleted, the user is redirected to the login page within 60 seconds. The home directory associated with the user is also removed from the switch.

The switch ships with the admin user account and two groups: administrators and operators. The admin account is part of the administrators group. The Service OS also includes the administrator user admin. The two admin users are entirely distinct.

You can add a maximum of 16 local users, and they can be either part of the operators or administrators group.

Cleartext passwords (whether entered with prompting or entered directly) must:
  • Contain only ASCII characters from hexadecimal 21 to hexadecimal 7E [\x21-\x7E] (decimal 33 to 126). Spaces are not allowed. When the password is entered directly without prompting, the "?" symbol (hexadecimal 3F [\x3F] (decimal 63)) is not permitted.

  • Contain at most 32 characters.

  • Contain at least the number of characters configured (optionally) for minimum-password-length.

  • Not be blank. On a factory-default switch, the admin user has a blank password. If the admin user password is changed, it can only be reset to blank by reverting the switch to factory defaults.

    NOTE:

    Only an administrator can change the password of a user assigned to the operators role.

Examples

Creating user jamie with a prompted password:

switch(config)# user jamie group administrators password
Adding user jamie
Enter password:************
Confirm password:************

Creating user chris with a cleartext password, using direct entry without prompting:

switch(config)# user chris group administrators password plaintext passWORDxJ|989

Creating user alex with a ciphertext password (the ciphertext shown is a placeholder that must be replaced with actual ciphertext):

switch(config)# user alex group administrators password ciphertext NDcDI2...8igJfA=

Removing user jamie:

switch(config)# no user jamie
User jamie's home directory and active sessions will be deleted.
Do you want to continue [y/n]?y