user
Syntax
user <USERNAME> group {administrators | operators | auditors | <USER-GROUP>}
password [ciphertext <CIPHERTEXT-PASSWORD> | plaintext <PLAINTEXT-PASSWORD>]
no user <USERNAME>
Description
Creates a user and adds the user to one of the user groups. Users are given the privileges of their group. For the three built-in user groups (administrators
,
operators
,
auditors
), the privileges are fixed. For user-defined local user groups, the privileges are defined by the CLI command authorization rules of the group.
When entered without either optional
ciphertext
or
plaintext
parameters, the cleartext password is prompted for twice, with the characters entered masked with "*" symbols.
The
no
form of this command removes a user account from the switch. The administrator cannot delete the user account from which they are logged in. The
admin
user cannot be deleted.
Command context
config
Parameters
<USERNAME>
Specifies the user name. Requirements:
Must start with a lowercase letter.
Can contain numbers and lowercase letters.
Can include only these three special characters: hyphens ( - ), dots ( . ), and underscores ( _ ).
Can have a maximum of 32 characters.
Cannot be empty.
Cannot contain uppercase letters.
Cannot be:
admin
,root
, orremote_user
.Cannot be Linux reserved names such as:
daemon
,bin
,sys
,sync
,proxy
,www-data
,backup
,list
,irc
,gnats
,nobody
,systemd-bus-proxy
,sshd
,messagebus
,rpc
,systemd-journal-gateway
,systemd-journal-remote
,systemd-journal-upload
,systemd-timesync
,systemd-coredump
,systemd-resolve
,rpcuser
,vagrant
,opsd
,rdanet
,_lldpd
,rdaadmin
,rdaweb
,docker_container
,tss
.
group
Selects the local user group to which the new user will be assigned.
administrators | operators | auditors
Selects one of three built-in local user groups.
<USER-GROUP>
Specifies an existing user-defined local user group.
ciphertext <CIPHERTEXT-PASSWORD>
- Specifies a ciphertext password. No password prompts are provided and the ciphertext password is validated before the configuration is applied for the user. The variable <CIPHERTEXT-PASSWORD> is Base64 and is typically copied from another switch using the
show running-config
command output and then pasted into this command.NOTE: The administrator cannot construct ciphertext passwords themselves. The ciphertext is only created by an ArubaOS-CX switch. The ciphertext is created by setting a password for a user with theuser
command. The ciphertext is available for copying from theshow running-config
output and pasting into the configuration on any other ArubaOS-CX switch. The target switch must have the same export password (default or otherwise) as the source switch. plaintext <PLAINTEXT-PASSWORD>
Specifies the password without prompting. The password is visible as cleartext when entered but is encrypted thereafter. Command history does show the password as cleartext.
Authority
Administrators or local user group members with execution rights for this command.
Usage
Up to 63 local users can be added, for a total of 64 users including the default user
admin
. A user can belong to only one group.The switch ships with the
admin
user account and three built-in local user groups:administrators
,operators
, andauditors
. Theadmin
account belongs to theadministrators
group. The Service OS also includes the administrator useradmin
. The two admin users are entirely distinct.When a local user account is removed, the user loses all active login/SSH sessions. Any calls on the existing REST session with that local user account fail with a permissions issue as soon as the user is deleted. Soon afterwards, the existing REST sessions with the deleted local user account become invalidated. If a user is viewing the GUI while their account is deleted, the user is redirected to the login page within 60 seconds. The home directory associated with the user is also removed from the switch.
- Cleartext passwords (whether entered with prompting or entered directly) must:
Contain only ASCII characters from hexadecimal 21 to hexadecimal 7E [\x21-\x7E] (decimal 33 to 126). Spaces are not allowed. When the password is entered directly without prompting, the "
?
" symbol (hexadecimal 3F [\x3F] (decimal 63)) is not permitted.Contain at most 32 characters.
Contain at least the number of characters configured (optionally) for
minimum-password-length
.CAUTION: Although empty passwords are supported, it is recommended that you use strong passwords for all production switches.NOTE: Only an administrator can change the password of a user assigned to theoperators
role.
Examples
Creating local user
jamie
in the
administrators
group with a prompted password:
switch(config)# user jamie group administrators password Adding user jamie Enter password:************ Confirm password:************
Creating user
chris
in the existing user-defined local user group
admuser2
with a cleartext password, using direct entry without prompting:
switch(config)# user chris group admuser2 password plaintext passWORDxJ|989
Creating user
alex
in the
operators
group with a ciphertext password (the ciphertext shown is a placeholder that must be replaced with actual ciphertext):
switch(config)# user alex group operators password ciphertext NDcDI2...8igJfA=
Removing user
jamie
:
switch(config)# no user jamie User jamie's home directory and active sessions will be deleted. Do you want to continue [y/n]?y