Forum Discussion

romolo82's avatar
romolo82
Icon for Cirrus rankCirrus
Feb 14, 2024

Creating local user account

Hi, I can't create a working local user accoount on a Big-IP system.

There is already a remote authentication and I know that this can give some problems... I read that is possible a workaraound with the command "modify /sys db systemauth.nolocalonly value false" to enable together both of authentication systems (local and remote), but doesn't work.

 

Anybody has a suggestione?

Thanks, regards

  • Usually, the remote authentication takes precedence unless the servers are not available. In which case, there is a fallback setting that can be configured to use local accounts:

    For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.

    Reference: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-13-1-0/5.html

    Sadly, your db option only applies to the root and admin users:

    • trueIf this database key is set to true, the root and admin accounts use remote authentication.
    • falseIf this database key is set to false (default), the root and admin accounts use local authentication at all times.

    Reference: https://my.f5.com/manage/s/article/K49218438

    That said, what you want to accomplish CAN be done, but you would need to modify underlying linux configuration files for pam I suspect. This would not be supported natively by the F5 BIG-IP and 'can' be considered a security risk. Usually local account passwords are not rotated and forced to be reset like remote sources, and if there is a DDoS of the remote server IPs, it would be trivial to perhaps login via a local account.

    If you have LOTS of admin / application users accessing the F5 BIG-IP, use remote authentication. If you have a team that 'owns' the F5 BIG-IPs, make sure they always have access to the admin/root users and also make sure that you implement integration such as with Cyberark to rotate out these passwords on a regular basis. Keep in mind, Cyberark does have really nice integrations with Ansible even, so you can automate the retrieval of the current password, some tasks, and then recycling the password once used.

    Just some thoughts.

  • Usually, the remote authentication takes precedence unless the servers are not available. In which case, there is a fallback setting that can be configured to use local accounts:

    For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.

    Reference: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-13-1-0/5.html

    Sadly, your db option only applies to the root and admin users:

    • trueIf this database key is set to true, the root and admin accounts use remote authentication.
    • falseIf this database key is set to false (default), the root and admin accounts use local authentication at all times.

    Reference: https://my.f5.com/manage/s/article/K49218438

    That said, what you want to accomplish CAN be done, but you would need to modify underlying linux configuration files for pam I suspect. This would not be supported natively by the F5 BIG-IP and 'can' be considered a security risk. Usually local account passwords are not rotated and forced to be reset like remote sources, and if there is a DDoS of the remote server IPs, it would be trivial to perhaps login via a local account.

    If you have LOTS of admin / application users accessing the F5 BIG-IP, use remote authentication. If you have a team that 'owns' the F5 BIG-IPs, make sure they always have access to the admin/root users and also make sure that you implement integration such as with Cyberark to rotate out these passwords on a regular basis. Keep in mind, Cyberark does have really nice integrations with Ansible even, so you can automate the retrieval of the current password, some tasks, and then recycling the password once used.

    Just some thoughts.

  • If you want local user accounts to work while having remote authentication configured, you just need to add the local user to the 'localusers' configuration file. Just bear in mind that this does not persist after a code upgrade, so you will need to run the command again (otherwise the local user will not be able to log in).

    run util bash
    echo "<USERNAME>" >> /config/bigip/auth/localusers