Default VyOS has one user: vyos with password vyos. If that’s still your production setup, you have a security problem. Every scanning bot knows those credentials.
Proper user management means: individual accounts, SSH keys instead of passwords, privilege separation, and audit trails. When something breaks, you need to know who touched what.
Shared accounts are an audit nightmare. Individual accounts with SSH keys are the baseline.
Default User Problem
# Default credentialsUsername: vyosPassword: vyos
# Every automated scanner knows this# First thing to change on new installationCreating Users
Basic User Creation
configure
# Create admin user with full privilegesset system login user admin full-name "System Administrator"set system login user admin authentication plaintext-password "SecurePassword123!"
# Create operator user with limited accessset system login user operator full-name "Network Operator"set system login user operator authentication plaintext-password "OperatorPass456!"set system login user operator level operator
commitUser Levels
| Level | Access |
|---|---|
| admin | Full configuration access |
| operator | Show commands, limited operational commands |
# Admin level (default)set system login user admin level admin
# Operator level (read-mostly)set system login user operator level operatorOperator Limitations
Operators can:
- View configuration
- Run show commands
- Basic operational commands
Operators cannot:
- Enter configuration mode
- Modify settings
- Restart services
SSH Key Authentication
Generate Keys (Client Side)
# On your workstationssh-keygen -t ed25519 -C "admin@example.com"# Or RSA if ed25519 not supportedssh-keygen -t rsa -b 4096 -C "admin@example.com"
# Get public keycat ~/.ssh/id_ed25519.pubAdd Key to VyOS
configure
# Add SSH key for userset system login user admin authentication public-keys admin@workstation key "AAAAC3NzaC1lZDI1NTE5AAAAIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"set system login user admin authentication public-keys admin@workstation type ssh-ed25519
# Or for RSAset system login user admin authentication public-keys admin@workstation key "AAAAB3NzaC1yc2EAAAADAQABAAACAQxxxxxxxxx"set system login user admin authentication public-keys admin@workstation type ssh-rsa
commitMultiple Keys Per User
# Work laptopset system login user admin authentication public-keys work-laptop key "..."set system login user admin authentication public-keys work-laptop type ssh-ed25519
# Home workstationset system login user admin authentication public-keys home-desktop key "..."set system login user admin authentication public-keys home-desktop type ssh-ed25519
# Emergency key (stored securely)set system login user admin authentication public-keys emergency key "..."set system login user admin authentication public-keys emergency type ssh-ed25519Disable Password Authentication
# After adding SSH keys, disable password loginset service ssh disable-password-authentication
commit
# Now only SSH key authentication worksRemove Default User
configure
# First, ensure you can login with new user!# Test SSH key login in another terminal before deleting vyos user
# Delete default userdelete system login user vyos
commit
# If you lock yourself out, you'll need console accessSSH Service Configuration
Basic SSH Hardening
configure
# Listen only on management interfaceset service ssh listen-address 192.168.1.1
# Change port (optional, security through obscurity)set service ssh port 22222
# Disable password authenticationset service ssh disable-password-authentication
# Set login timeoutset service ssh timeout 120
# Limit authentication attemptsset service ssh max-auth-retries 3
commitAllowed Networks
# Use firewall to limit SSH source IPsset firewall ipv4 name MGMT-LOCAL rule 10 action acceptset firewall ipv4 name MGMT-LOCAL rule 10 destination port 22set firewall ipv4 name MGMT-LOCAL rule 10 protocol tcpset firewall ipv4 name MGMT-LOCAL rule 10 source address 10.0.0.0/24set firewall ipv4 name MGMT-LOCAL rule 10 description "SSH from admin network only"
set firewall ipv4 name MGMT-LOCAL rule 999 action dropset firewall ipv4 name MGMT-LOCAL rule 999 description "Drop all other"SSH Client Keepalive
# Keep connections aliveset service ssh client-keepalive-interval 60Per-User Restrictions
Restrict User to Specific Source
Can’t be done directly in VyOS, but use firewall:
# Create group for restricted user's sourceset firewall group network-group OPERATOR-NETS network 192.168.10.0/24
# Firewall rule allowing operator SSH only from specific network# Combined with per-user SSH keys for enforcementLogin Tracking
# View current sessionsshow users
# View login historyshow log | grep -i sshshow log | grep -i login
# Last loginslastEmergency Access
Console Access
# Serial console always works# Configure serial portset system console device ttyS0 speed 115200Emergency User
# Create break-glass accountset system login user emergency full-name "Emergency Access"set system login user emergency authentication public-keys emergency key "..."set system login user emergency authentication public-keys emergency type ssh-ed25519
# Store private key securely (safe, vault, etc.)# Only use when normal access failsPassword Policies
VyOS doesn’t have built-in password policies, but best practices:
Strong Passwords
# When setting passwords, enforce complexity# Minimum 12 characters# Mix of upper, lower, numbers, symbols
# Example (use password manager to generate)set system login user admin authentication plaintext-password "K8#mP9$nL2@qR5&w"Encrypted Password Storage
# VyOS shows passwords encrypted in configshow configuration commands | grep authentication
# Output shows hash, not plaintext:# set system login user admin authentication encrypted-password '$6$rounds=xxx$...'Regular Password Rotation
No automated policy, but establish process:
- Document rotation schedule
- Use calendar reminders
- Change all passwords
- Update documentation
Service Accounts
For automation (Ansible, scripts):
# Create service accountset system login user ansible full-name "Ansible Automation"set system login user ansible authentication public-keys ansible-server key "..."set system login user ansible authentication public-keys ansible-server type ssh-ed25519
# Admin level needed for configurationset system login user ansible level admin
# Consider: dedicated key per automation toolAudit Trail
Enable Logging
# VyOS logs authentication events to syslogshow log | grep -i auth
# Send to remote syslog for retentionset system syslog host 10.0.0.100 facility auth level infoWhat Gets Logged
- SSH login success/failure
- Configuration changes
- Privilege escalation
- User source IP
Review Logs
# Recent auth eventsshow log | grep -i auth | tail -50
# Failed loginsshow log | grep -i "Failed password"
# Configuration changesshow log | grep -i commitMulti-User Setup Example
Complete Setup
configure
# Admin users (full access)set system login user admin1 full-name "Alice Admin"set system login user admin1 authentication public-keys laptop key "..."set system login user admin1 authentication public-keys laptop type ssh-ed25519set system login user admin1 level admin
set system login user admin2 full-name "Bob Admin"set system login user admin2 authentication public-keys laptop key "..."set system login user admin2 authentication public-keys laptop type ssh-ed25519set system login user admin2 level admin
# Operator users (limited access)set system login user noc1 full-name "NOC Operator 1"set system login user noc1 authentication public-keys workstation key "..."set system login user noc1 authentication public-keys workstation type ssh-ed25519set system login user noc1 level operator
# Service account (for automation)set system login user ansible full-name "Ansible Service"set system login user ansible authentication public-keys server key "..."set system login user ansible authentication public-keys server type ssh-ed25519set system login user ansible level admin
# Remove default userdelete system login user vyos
# SSH hardeningset service ssh disable-password-authentication
commitsaveThe Lesson
Shared accounts are an audit nightmare. Individual accounts with SSH keys are the baseline.
Minimum requirements:
- Individual accounts: One user = one person
- SSH keys: No password authentication
- Principle of least privilege: Operators don’t need admin
- Remove defaults: Delete vyos user
- Log everything: Remote syslog for audit
When the next security incident happens:
- With shared accounts: “Someone changed something”
- With individual accounts: “admin1 changed firewall rule 50 at 14:32 from IP 10.0.0.55”
The audit trail is the difference between “we don’t know” and “here’s exactly what happened.”
Set up users properly from day one. Retrofitting access control during an incident is not fun.