Users

Use the Gaia Portal and Gaia Clish to manage user accounts. You can:

Add users to your Gaia system.
Edit the home directory of the user.
Edit the default shell for a user.
Give a password to a user.
Give privileges to users.

These users are created by default and cannot be deleted:

admin - Has full read/write capabilities for all Gaia features, from the Gaia Portal and the Gaia Clish. This user has a User ID of 0, and therefore has all of the privileges of a root user.
monitor - Has read-only capabilities for all features in the Gaia Portal and the Gaia Clish, and can change its own password. You must give a password for this user before the account can be used.

New users have read‑only privileges to the Gaia Portal and the Gaia Clish by default. You must assign one or more roles before they can log in.

Notes:

You can assign permissions to all Gaia features or a subset of the features without assigning a user ID of 0. If you assign a user ID of 0 to a user account (you can do this only in the Gaia Clish), the user is equivalent to the Admin user and the roles assigned to that account cannot be modified.
Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS or TACACS) and not on the local Gaia system.

When you create a user, you can add pre-defined roles (privileges) to the user. For more information, see the Role-Based Administration.

Warning - A user with read and write permission to the Users feature can change the password of another user, or an admin user. Therefore, write permission to the Users feature should be assigned with caution.

Managing User Accounts - Gaia Portal

To see a list of all configured users:

In the navigation tree, click User Management > Users.

You can also see your username in the top right corner of the Gaia Portal.

To add a new user:

Step	Description
1	In the navigation tree, click User Management > Users.
2	Click Add.
3	In the Login Name field, enter the username. The valid characters (between 1 and 32 characters) are alphanumeric characters, dash (-), and underscore (_).
4	In the Password field, enter the user's password. All printable characters are allowed. Length is between 6 and 128 characters. Important - Do not use the asterisk (*) character in the password. User with such password will not be able to log in.
5	In the Confirm Password field, enter the user's password again.
6	In the Real Name field, enter the user's real name or other informative text. This is an alphanumeric string that can contain spaces. The default is the user's Login Name with capitalized first letter.
7	In the Home Directory field, enter the user's home directory. This is the full Linux path name of a directory, to which the user will log in. Must be a subdirectory of `/home/` directory. If the subdirectory does not already exist, it is created.
8	In the Shell field, select the user's default login shell. See the explanations in the next table.
9	Select User must change password at next logon, if you wish to force the user to change the configured password during the next login. Note -If the user does not log in within the time limit configured in the Gaia Portal > User Management > Password Policy page > Mandatory Password Change section > Lockout users after password expiration > Lockout user after X days, the user may not be able to log in at all.
10	Optional: In the UID field, enter or select the applicable User ID: 0 for administrator users (this is the default option) between 103 and 65533 for non-administrator users
11	In the Access Mechanisms section: Select Web to allow this user to access Gaia Portal. Select Clish Access to allow this user to access Gaia Clish.
12	In the Available Roles list: Select the roles you wish to assign to this user. To select several roles: Press and hold the Ctrl key on the keyboard. Left-click the applicable roles. The selected roles become highlighted. Click Add >. The selected roles move to the Assigned Roles list.
13	Click OK.

User's login shells:

Shell	Description
`/etc/cli.sh`	This is the default option. Lets the user work with the full Gaia Clish. By default, some basic networking commands (such as `ping`) are also available. The Extended Commands in the assigned roles makes it possible to add more Linux commands that can be used. User can run the `expert` command to enter the Bash shell (Expert mode).
`/bin/bash`	BASH Linux shell. Lets the user work with the Expert mode. User can run the `clish` command to enter the Gaia Clish.
`/bin/csh`	CSH Linux shell. User can run the `clish` command to enter the Gaia Clish.
`/bin/p1shell`	Check Point shell for Multi-Domain Server. Lets the administrator user run Multi-Domain Security Management CLI commands in the context of Multi-Domain Server and Domains, without root permissions. For more information, see the R80.20 Multi-Domain Security Management Administration Guide.
`/bin/sh`	SH Linux shell. User can run the `clish` command to enter the Gaia Clish.
`/bin/tcsh`	TCSH Linux shell. User can run the `clish` command to enter the Gaia Clish.
`/usr/bin/scponly`	User is not allowed to log in to Gaia. User can only connect to Gaia over SCP and transfer files to and from the system. No other commands are permitted.
`/sbin/nologin`	User is not allowed to log in to Gaia.

To change a user configuration:

Step	Description
1	In the navigation tree, click User Management > Users.
2	Select the user.
3	Click Edit.
4	In the Real Name field, enter the user's real name or other informative text.
5	In the Home Directory field, enter the user's home directory.
6	In the Shell field, select the user's default login shell.
7	Select User must change password at next logon, if you wish to force the user to change the configured password during the next login.
8	In the Available Roles list, select the roles you wish to assign to this user and click Add >.
9	In the Assigned Roles list, select the roles you wish to remove from this user and click Remove >.
10	Click OK.

Note - For the default users admin and monitor, you can only change the Shell and Roles.

To delete a user:

Step	Description
1	In the navigation tree, click User Management > Users.
2	Select the user.
3	Click Delete.
4	Click OK to confirm.

Note - You cannot delete the default users admin and monitor.

Managing User Accounts - Gaia Clish

Description

Manage user accounts. You can add users, edit the home directory of the user, edit the default shell for a user, give a password to a user, and give privileges to users.

Note - You can use the add user command to add new users, but you must use the set user <username> password command to set the password and allow the user to log on to the system.

Syntax

To add a local user account:

add user <UserName> uid <User ID> homedir <Path>
To add a RADIUS user account:

add user <UserName> uid 0 homedir <Path>

To modify a user account:

set user <UserName>

force-password-change {yes | no}

gid <System Group ID>

homedir <Path>

lock-out off

newpass <Password>

password

password-hash <Password Hash>

realname <Name>

shell <Login Shell>

uid <User ID>}

To show summary information about all users:

show users
To shows information about a specific user:

show user <UserName>

[force-password-change]

[gid]

[homedir]

[lock-out]

[realname]

[shell>]

[uid]
To delete a configured user:

delete user <User ID>

Important - After you add, configure, or delete features, run the save config command to save the settings permanently.

Parameters

Parameter	Description
`user <`UserName`>`	Configures unique login username - an alphanumeric string, from 1 to 32 characters long, that can contain dashes (-) and underscores (_), but not spaces.
`uid <`User ID`>`	Optional. Configures unique User ID to identify permissions of the user: `0` for administrator users and RADIUS user account (this is the default option) between `103` and `65533` for non-administrator users Note - If a value is not specified, Gaia OS automatically assigns the next free sequential number.
`homedir <`Path`>`	Configures user's home directory. This is the full Linux path name of a directory, to which the user will log in. Must be a subdirectory of `/home/` directory. If the subdirectory does not already exist, it is created.
`force-password-change {yes \| no}`	If you wish to force the user to change the configured password during the next login, set the value to `yes`. Note - If the user does not log in within the time limit configured by the `set password-controls expiration-lockout-days` command, the user may not be able to log in at all.
`gid <`System Group ID`>`	Configures System Group ID (`0‑65535`) for the primary group, to which a user belongs. The default is `100`. You can add the user to several groups. Use the `add group` and `set group` commands to manage the groups.
`lock-out off`	Unlocks the user, if the user was locked-out. The password expiration date is adjusted, if necessary.
`newpass <`Password`>`	Configures a new password for the user. You will not be asked to verify the new password. The password you enter shows on the terminal command line in plain text, and is stored in the command history as plain text.
`password`	Configures a password for the new user. The command runs in interactive mode. You must enter the password twice, to verify it. The password you enter will not be visible on the terminal command line.
`password-hash <`Password Hash`>`	Configures the password using an encrypted representation of the password. The password is not visible as text on the terminal command line, or in the command history. Use this option if you want to change passwords using a script. You can generate the hash version of the password using standard Linux hash generating utilities.
`realname <`Name`>`	Configures user's description - most commonly user's real name. This is an alphanumeric string that can contain spaces. The default is the username with capitalized first letter.
`shell <`Login Shell`>`	Configures the user's default login shell. `/etc/cli.sh`: This is the default option. Lets the user work with the full Gaia Clish. By default, some basic networking commands (such as `ping`) are also available. The Extended Commands in the assigned roles makes it possible to add more Linux commands that can be used. User can run the `expert` command to enter the Bash shell (Expert mode). `/bin/bash`: BASH Linux shell. Lets the user work with the Expert mode. User can run the `clish` command to enter the Gaia Clish. `/bin/csh`: CSH Linux shell. Gives the user Expert mode access. User can run the `clish` command to enter the Gaia Clish. `/bin/p1shell`: Check Point shell for Multi-Domain Server. Lets the administrator user run Multi-Domain Security Management CLI commands in the context of Multi-Domain Server and Domains, without root permissions. For more information, see the R80.20 Multi-Domain Security Management Administration Guide. `/bin/sh`: SH Linux shell. Gives the user Expert mode access. User can run the `clish` command to enter the Gaia Clish. `/bin/tcsh`: TCSH Linux shell. Gives the user Expert mode access. User can run the `clish` command to enter the Gaia Clish. `/usr/bin/scponly`: User is not allowed to log in to Gaia. User can only connect to Gaia over SCP and transfer files to and from the system. No other commands are permitted. `/sbin/nologin`: User is not allowed to log in to Gaia.