To create and configure a user account in a virtual device context
(VDC), use the
username
command. To remove a user account, use the
no form of this command.
username user-id [expire date] [password [0 | 5] password] [role role-name]
username user-id [sshkey {key | file filename}]
username user-id [keypair generate {rsa [bits [force]] | dsa [force]}]
username user-id [keypair {export | import} {bootflash: filename | volatile: filename} {rsa | dsa} [force]]
username user-id [priv-lvl n] [expire date] [password [0 | 5] password]
username user-id [ssh-cert-dn dn-name {rsa}]
no username user-id
Syntax Description
|
user-id
|
User identifier for the user account. The
user-id argument is a
case-sensitive, alphanumeric character string with a maximum length of 28
characters. For more information, see the usage guidelines section below.
|
Note
|
The Cisco NX-OS software allows these special characters
in the
user-id argument text string: ( _ .
+ = \ - ).
|
|
|
expire
date
|
(Optional) Specifies the expire date for the user account.
The format for the
date argument is YYYY-MM-DD.
|
|
password
|
(Optional) Specifies a password for the account. The
default is no password.
|
|
0
|
(Optional) Specifies that the password is in clear text.
Clear text passwords are encrypted before they are saved to the running
configuration.
|
|
5
|
(Optional) Specifies that the password is in encrypted
format. Encrypted passwords are not changed before they are saved to the
running configuration.
|
|
password
|
Password string. The password is alphanumeric, case
sensitive, and has a maximum of 64 characters.
|
Note
|
All printable ASCII characters are supported in the
password string if they are enclosed in quotation marks.
|
|
|
role
role-name
|
(Optional) Specifies the user role. The
role-name argument is case
sensitive.
|
|
sshkey
|
(Optional) Specifies an SSH key for the user account.
|
|
key
|
SSH key string.
|
|
file filename
|
Specifies the name of a file that contains the SSH key
string.
|
|
keypair
|
Generates SSH user keys.
|
|
generate
|
Generates SSH key-pairs.
|
|
bits
|
Number of bits used to generate the key. The range is from
1024 to 2048, and the default value is 1024.
|
|
force
|
Forces the generation of keys even if previous ones are
present.
|
|
rsa
|
Generates Rivest, Shamir, and Adelman (RSA) keys.
|
|
export
|
Exports key-pairs to the bootflash or volatile directory.
|
|
import
|
Imports key-pairs from the bootflash or volatile directory.
|
|
ssh-cert-dn
|
Specifies an SSH X.509 certificate distinguished name RSA
algorithm to use for authentication for an existing user account.
|
|
dn-name
|
Specifies the distinguished name, which can be up to 512
characters and must follow the Open SSL format.
|
|
bootflash:filename
|
Specifies the bootflash filename.
|
|
volatile:filename
|
Specifies the remote filename.
|
|
priv-lvl
n
|
Specifies the privilege level to which the user is
assigned. The range is from 0 to 15.
|
Command Default
Unless specified, usernames have no expire date, password, or SSH
key.
In the default VDC, the default role is network-operator if the
creating user has the network-admin role, or the default role is vdc-operator
if the creating user has the vdc-admin role.
In nondefault VDCs, the default user role is vdc-operator.
You cannot delete the default admin user role. Also, you cannot
change the expire date or remove the network-admin role for the default admin
user role.
To specify privilege levels, you must enable the cumulative privilege
of roles for command authorization on TACACS+ servers using the
feature
privilege command. There is no default privilege
level.
This command does not require a license.
Command Modes
Global configuration
Command History
|
Release
|
Modification
|
|
8.0(1)
|
Added the
ssh-cert-dn keyword option.
|
|
5.1(1)
|
Removed support for RSA keys less than 1024 bits.
|
|
5.0(2)
|
Added the
keypair keyword option.
|
|
5.0(2)
|
Added the
priv-lvl keyword option.
|
|
4.1(2)
|
Added the
sshkey keyword option.
|
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The Cisco NX-OS software creates two default user accounts in the
VDC: admin and adminbackup. The nondefault VDCs have one default user account:
admin. You cannot remove a default user account.
User accounts are local to the VDCs. You can create user accounts
with the same user identifiers in different VDCs.
Caution
|
The Cisco NX-OS software does not support all numeric usernames,
whether created with TACACS+ or RADIUS, or created locally. Local users with
all numeric names cannot be created. If an all numeric user name exists on an
AAA server and is entered during login, the user is not logged in.
|
The Cisco NX-OS software accepts only strong passwords when you have
password-strength checking enabled using the
password
strength-check
command. The characteristics of a strong password include the
following:
- At least eight characters
long
- Does not contain many
consecutive characters (such as “abcd”)
- Does not contain many
repeating characters (such as “aaabbb”)
- Does not contain
dictionary words
- Does not contain proper
names
- Contains both uppercase
and lowercase characters
- Contains numbers
Caution
|
If you do not specify a password for the user account, the user
might not be able to log in to the account.
|
To use this command, you must enable the cumulative privilege of
roles using the
feature
privilege command.
A passphrase is required when you export or import the key-pair. The
passphrase encrypts the exported private key for the user and decrypts it
during import.
This command does not require a license.
Examples
This example shows how to create a user account with a password and a
user role:
switch# configure t
switch(config)# username user1 password Ci5co321 role vdc-admin
This example shows how to configure the SSH key for a user account:
switch# configure t
switch(config)# username user1 sshkey file bootflash:key_file
This example shows how to generate the SSH public and private keys
and store them in the home directory of the Cisco NX-OS device for the user:
switch# configure t
switch(config)# username user1 keypair generate rsa
generating rsa key(2048 bits)......
generated rsa key
This example shows how to export the public and private keys from the
home directory of the Cisco NX-OS device to the bootflash directory:
switch# configure t
switch(config)# username user1 keypair export bootflash:key_rsa rsa
Enter Passphrase:
switch(config)# dir
.
.
.
951 Jul 09 11:13:59 2009 key_rsa
221 Jul 09 11:14:00 2009 key_rsa.pub
.
.
The private key is exported as the file that you specify, and the
public key is exported with the same filename followed by a .pub extension.
This example shows how to import the exported public and private keys
from the bootflash directory to the home directory of the Cisco NX-OS device:
switch# configure t
switch(config)# username user1 keypair import bootflash:key_rsa rsa
Enter Passphrase:
switch(config)# show username user1 keypair
**************************************
rsa Keys generated: Thu Jul 9 11:10:29 2009
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJ
Fx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFW
VxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbq
S33GZsCAX6v0=
bitcount:262144
fingerprint:
8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d
**************************************
could not retrieve dsa key information
**************************************
switch(config)#
The private key is imported as the file that you specify, and the
public key is imported with the same filename followed by a .pub extension.
This example shows how to assign privilege level 15 to the user:
switch# configure t
switch(config)# feature privilege
switch(config)# enable secret 5 def456 priv-lvl 15
switch(config)# username user2 priv-lvl 15
This example shows how to configure X.509v3 certificate-based SSH
authentication.
switch# configure terminal
switch(config)# username jsmith password 4Ty18Rnt
switch(config)# username jsmith ssh-cert-dn "/O = ABCcompany, OU = ABC1,
emailAddress = jsmith@ABCcompany.com, L = Metropolis, ST = New York, C = US, CN = jsmith" rsa
switch(config)# crypto ca trustpoint tp1
switch(config-trustpoint)# crypto ca authenticate tp1
switch(config-trustpoint)# crypto ca crl request tp1 bootflash:crl1.crl
switch(config-trustpoint)# exit
switch(config)# exit
Feedback