Articles in this section

See more

Managing local users from the command line

Robert Waldie
  • Updated
Follow

You can add, modify and remove local users from the command line. First, login as root or an admin group user.

Add a new user

Use the /etc/scripts/user-add command to add a local user. To view full command usage run:

/etc/scripts/user-add -h
usage: user-add [-h] [-p "port list"] [-g "group list"]
            [-d description] name
  • -p "port list": Explicitly permit access to these serial/USB console ports, aka Accessible Port(s) in the browser GUI. The ports must also be configured in Console Server Mode to allow access. Specify the ports by number, with the list surrounded by "quotation marks".
  • -g "group list": Add the new user to these existing local groups. Specify the list surrounded by "quotation marks".
  • -d description: A brief description of this user's role. name: A unique name for the user, aka Username in the browser GUI.

For example, to add a new user called operator1, with access to the first 8 console ports and users and pmshell group membership, run:

/etc/scripts/user-add -p "1 2 3 4 5 6 7 8" -g "users pmshell" operator1

This command will prompt to enter a password to set for the new user (scroll to the end of the article for instructions on adding users non-interactively).

Delete users

Use the /etc/scripts/user-del command to delete a local user or users. To view full command usage run:

/etc/scripts/user-del -h
usage: user-del [-h] username ...
  • username: The user to delete, specify multiple usernames separated by spaces.

For example, to delete the users operator1, operator2 and operator3, run:

/etc/scripts/user-del operator1 operator2 operator3

Edit or modify a user

Use the /etc/scripts/user-mod command to modify a local user. To view full command usage run:

/etc/scripts/user-mod -h
usage: user-mod [-h] [-p "+/-portlist"] [-g "+/-grouplist"]
                [-d description] [-P] [-L] [-U] name

    Each port number can be preceded by a "+" or a "-".
    If a port number is preceded by a "+", e.g. "+5" the port will be
    added to the user access. If a port number is preceded by a "-"
    instead, the port will be removed from the user access.
    The "+" and "-" options can also be used for adding and
    removing group access from a user. If neither "+" or "-" precedes
    a port or group, then a "+" will be assumed.

    -P, If this option is present, you will be prompted for a new user
    password.

    -L, Lock account for user "name".

    -U, Unlock account for user "name".
  • -p "port list": Explicitly add or remove access privileges to these serial/USB console ports. Precede the port number with + to grant access, and - to remove access. Specify the ports by number, with the list surrounded by "quotation marks".
  • -g "group list": Add the user to or user to these existing local groups. Precede the group name with + to add membership, and - to remove membership. Specify the list surrounded by "quotation marks".
  • -L/-U: Temporarily disable/re-enable the user's ability to login.
  • -P: Prompt to enter a new password to set for this user (scroll to the end of the article for instructions on modifying user passwords non-interactively).

For example, to modify the user called operator1 to remove access to ports 1 and 2, add access to ports 9 and 10, and remove pmshell group membership, run:

/etc/scripts/user-mod -p "-1 -2 +9 +10" -g "-pmshell" operator1

Adding and modifying user passwords non-interactively

Advanced users may add users non-interactively by direct config commands. This can be using when adding users via external scripts. You may specify the MD5 pre-encrypted password using config.users.userX.password, or the plaintext password to be encrypted using config.users.userX.plaintext_password.

Note: The plaintext password will be momentarily visible to any users with CLI access – in the ps process listing and transiently in /etc/config/config.xml. If this present security issues, revoke CLI access or use a pre-encrypted password.

For example, to add the operator1 user with password "passw0rd":

prefix=$(config --list-base config.users --list-add)
config -s $prefix.username=operator1
config -s $prefix.plaintext_password=passw0rd
config -r users

To change operator1's password to "p4ssword" using the encrypted method:

prefix=$(config --list-base config.users --list-item-key username --list-get-by-value operator1  | head -n1 | cut -f1-3 -d.)
config -s $prefix.password='$1$s4lt$Jw0oXGlf1ZKQepH3wGx9F0'
config -r users

Hint: You can pre-encrypt passwords offbox using the openssl command, for example:

echo "p4ssword" > password.txt
openssl passwd -1 -salt s4lt -in password.txt

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk