User access privileges and setting up local users

This article describes how to add a new local user via the Opengear web UI.  Local user management may also be performed using the command line.

The basic steps are:

• Login to the Opengear web UI as the root user or an existing admin user
• Click Serial & Network -> Users & Groups -> Add User
• Specify a Username and optional Description for the new user
• Configure authentication and authorization settings, and Apply

Authentication

Authentication may be either by local password, SSH public key, or remote AAA password.  Two factor authentication is also supported using a remote AAA server.

Local password: Enter and confirm a Password, complexity requirements are not enforced however we recommend between 12 and 32 characters in length, mixing case, alphanumeric characters, spaces and punctuation.

Remote password: Leave the Password field blank, or set a secondary password if you're using a RemoteLocal authentication method.  Note that remote AAA users do not necessarily have to be created locally.

SSH public key: Click New SSH Key and paste your SSH Authorized Key, which will be added to this user's authorized_keys file.  Multiple keys can be added.

We recommend that you use SSH public key authentication and Disable Password Authentication when the Opengear device is accessible from an untrusted network, e.g. the public Internet.

Authorization & Privileges

Assign the user to Groups, complete details on privileges granted by group membership, please refer to this article.

You may also set per-user Accessible Port(s), Outlet(s) and Host(s).

Accessible Port(s): Allow access to these serial/USB console ports via portmanager, using any of the configured Console Server Mode connection methods.

Accessible Outlet(s): Allow power control of these RPC (PDU) outlets. Users with web UI access may control outlets under Manage -> Power, users with CLI access may use the pmpower command. Users with neither web UI or CLI access (i.e. access to specific ports via portmanager only) may control power from inside a portmanager session, if this feature has been configured.

Accessible Host(s): Allow SSH local port forwards to be established to Permitted Services on a Serial & Network -> Network Host. For example, operator1 would access the HTTP web interface of a network host at 10.11.12.13 via SSH port forward first by starting the SSH port forward with this OpenSSH command:

ssh -L 60080:10.11.12.13:80 operator1@address.of.opengear

After authenticating, operator1 would then browse to http://127.0.0.1:60080/ and be redirected via the Opengear device to the network host's web interface.

Note: The Network Hosts feature is only effective when using the Opengear device as an SSH "GatewayPorts" bastion, and does not control or restrict routed or firewalled access to the network host.