Update, clarify and mention user permissions

troglobit · troglobit · commit e1fc6517652d · 2024-07-27T07:45:02.000+02:00
Also, link to official documentation.

Signed-off-by: Joachim Wiberg &lt;troglobit@gmail.com&gt;
diff --git a/_posts/2024-07-25-passwordless-login.md b/_posts/2024-07-25-passwordless-login.md
@@ -6,8 +6,12 @@ categories: [examples]
 tags: [cli, ssh]
 ---
 
-User management, including passwords, SSH keys, remote authentication is
-available in the system authentication configuration context.
+In this post we explore how to use the CLI to change a user's password
+and set up SSH keys for authentication.
+
+User management is available in the system authentication configuration
+context and there is a dedicated `change` command available to simplify
+the process:
 
 ```
 admin@example:/> configure
@@ -18,23 +22,25 @@ Retype password:
 admin@example:/config/system/authentication/user/admin/> leave
 ```
 
-The change password command starts an interactive dialogue that asks for
-the new password, with a confirmation, and then salts and encrypts the
-password with the default crypt algorithm.  This is either sha512crypt
-or yescrypt depending on the build.
+The `change password` command starts an interactive dialogue that asks
+for the new password, with a confirmation, and then salts and encrypts
+the password with the default crypt algorithm.  Either sha512crypt or
+yescrypt depending on the Infix build.
 
 It is also possible to use the `set password ...` command. This allows
-setting an already hashed password.  To manually hash a password, use
-the `do password encrypt` command.  This launches the admin-exec command
-to hash, and optionally salt, your password.  This encrypted string can
-then be used with the `set password ...` command.
+setting an already hashed password, which is what you must do when
+managing users over NETCONF or RESTCONF.  To manually hash a password,
+use the `do password encrypt` command.  This launches the admin-exec
+command to hash, and optionally salt, your password.  This encrypted
+string can then be used with the `set password ...` command.
 
 > if you are having trouble thinking of a password, Infix comes with a
 > `password generate` command in admin-exec context which generates
 > random passwords using the UNIX command `pwgen`.  Use the `do` prefix
 > when inside any configuration context to access admin-exec commands.
 {: .prompt-tip }
 
+
 ### SSH Public Key Login
 
 When accessing the system remotely using SSH it is very useful to have
@@ -59,3 +65,26 @@ admin@example:/config/system/authentication/user/admin/authorized-key/jacky@host
 > base64 encodes the public key data, so there is no need to use the
 > text-editor command with `authorized-key`, set does the job.
 {: .prompt-info }
+
+
+### User Permissions
+
+As a side note, user permissions are handled by the [Access Control
+Model][0], in `nacm` configuration context.  Essentially it allows
+defining a set of groups which a user can be member of.  At first boot a
+single group exist: `admin`, which the default `admin` user is member
+of.
+
+To give another user administrator rights we add them to the `admin`
+group:
+
+```
+admin@example:/config/> edit nacm group admin
+admin@example:/config/nacm/group/admin/> set user-name jacky
+admin@example:/config/nacm/group/admin/> leave
+```
+
+Read more about [user management][1] in the official documentation.
+
+[0]: https://datatracker.ietf.org/doc/html/rfc8341
+[1]: https://github.com/kernelkit/infix/blob/main/doc/system.md#multiple-users
