AAA - Login with Builtin User Accounts HowTo

About

This document aims to show how to use the built-in user accounts.

For an overview of all available configuration settings for AAA refer to the configuration guide:

Introduction

Configure

This section will cover how to handle built in user accounts.

Builtin users

The table below lists the built-in interactive user accounts present in a factory preset WeOS. These accounts only apply to the login service, and some of them are limited to the console port. It is also possible to create new built-in accounts to replace the existing ones.

Service Purpose
admin Administrative account for configuring and management of the device. This is accessible from console, SSH and Web (HTTP/HTTPS) by default.
factory Factory reset function. Only accessible from console.

Admin

The default setting for the built-in admin account is as follows:

  • Login: admin
  • Password: admin

The password of the built-in admin user can (and should!!) be changed. as shown in the following example:

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#> user admin
example:/config/aaa/user-admin#> password alg sha512 secret NewPassword 
example:/config/aaa/#> leave

Factory

The built-in factory account can be used to conduct a factory reset via the console port (only).

  • Login: factory
  • Password: reset
example login: factory
Password: reset (typed, but not echoed back to screen)

Factory Reset -- Restore factory default settings.
=> Are you sure (y/N)? y
Erasing barebox configuration
Backing up theme catalog.
Erasing all certificate and config files.
Restoring branding.
All done, rebooting...

A new account

It is possible to create multiple built-in accounts, up to 16 in one system.

Let us create a new built-in account for user Alice. By default Alice is granted administrator privileges but we change it to guest and set a password hashed using sha512 algorithm.

example:/config/aaa/#> user alice
example:/config/aaa/user-alice/#>
example:/config/aaa/user-alice/#> role guest
example:/config/aaa/user-alice/#> password alg sha512 secret CorrectHorseBatteryStaple
example:/config/aaa/user-alice/#> show
Status             : Enabled
Name               : alice
Role               : guest
Hash               : $6$ThcjPrACA$.ptkqbX5nZ72lcLk4MdjnGZSHR1p1LFI3BO1U.ykhPj4JUjOOStySXrYp7BO2CNwVfsw4Qr/avb2DI7Qd.x6k1
SSH-keys           :

Now, let us add two ssh-keys to alice’s account:

example:/config/aaa/user-alice/#> ssh-user-key import
Paste SSH user key(s) and hit enter twice:
ssh-rsa AAAAB3NzaC...G6KCGOnv alice@host1
ssh-ecdsa-sha2-nistp256 AAAAE2VjZHNh...UVpefXTOeObU3pGMLrk= alice@host2

As a result there are two built-in accounts in the system: admin provided in the factory configuration who has administrator role and the newly created alice who is a guest.

example:/config/aaa/user-alice/#> end
example:/config/aaa/#> show
User               Role           SSH-key  ENA                                  
admin              administrator  NO       YES
alice              guest          YES      YES

This settings will be applied upon calling leave command.

Removing admin account

It is possible to disable or even remove the default built-in admin account. To do so create a new account with administrator role and log-in using it to disable the default admin account. Note: a user cannot disable or remove themselves.

In example below let us create a new administrator bob and disable the default admin.

When logged-in as admin:

example:/config/aaa/#> user bob
example:/config/aaa/user-bob/#>
example:/config/aaa/user-bob/#> 
example:/config/aaa/user-bob/#> password secret NewPassword
example:/config/aaa/user-bob/#> end
example:/config/aaa/#> show
User               Role           SSH-key  ENA                                  
admin              administrator  NO       YES
bob                administrator  NO       YES
example:/config/aaa/#> leave
Applying configuration.
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
example:/#> cp run start
example:/#> exit

When logged-in as bob:

example:#> configure aaa
example:/config/aaa/#> user admin
example:/config/aaa/user-admin/#>no enable
Disabling user admin
example:/config/aaa/user-admin/#> end
example:/config/aaa/#> show
User               Role           SSH-key  ENA                                   
admin              administrator  NO        NO
bob                administrator  NO       YES
zero-12-34-50:/config/aaa/#> leave
Applying configuration.
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).

This way the only remaining built-in account with administrator role is bob.