Tutorial: Manage the Local Authentication Method from the Command-Line Interface
Use this tutorial to manage local authentication for Access Server from the command-line interface.
Overview
Use this tutorial to find the commands necessary to manage the local authentication method for Access Server.
Access Server stores user and group properties in the /usr/local/openvpn_as/etc/db/userprop.db file for local authentication mode.
Access Server supports hashed passwords in the user properties database in SHA256, PBKDF2, or SCrypt format. New password hashes are stored as PBKDF2 by default. PBKDF2 is implemented with a 16-byte random salt, SHA-256 hashing, a 32-byte output length, and 100,000 iterations.
Prerequisites
An installed Access Server.
Console access with the ability to get root privileges.
Set the default authentication mode to local:
sacli --key "auth.module.type" --value "local" ConfigPut sacli start
Prefer the SCrypt password hashing method (on Access Server 2.11 and newer):
sacli --key "auth.local.0.prefer_scrypt" --value "true" ConfigPut sacli start
Add a new user from scratch:
sacli --user <USER_NAME> --key "type" --value "user_connect" UserPropPut sacli start
Set password for a user in local authentication mode:
sacli --user '<USER_NAME>' --new_pass '<PASSWORD>' SetLocalPassword sacli start
Set the authentication mode for the user (on Access Server 2.10 and newer):
sacli --user <USER> --key "user_auth_type" --value "local" UserPropPut sacli start
Remove password for a user in local authentication mode:
sacli --user <USER_NAME> RemoveLocalPassword sacli start
Remove all user properties to delete the user:
sacli --user <USER_OR_GROUP> UserPropDelAll sacli start