Send netdisco-users mailing list submissions to
netdisco-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
netdisco-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
netdisco-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: Local admin account (Oliver Gorwits)
--- Begin Message ---
OK thanks.
I think setting (at least) one of the TACACS+ accounts to admin and then
deleting the admin account created via netdisco-deploy sounds the best
route for you.
All accounts will be within policy, and netdisco-deploy will not complain
for upgrades.
Recovery in the case of loss of TACACS+ service would be to either have
kept the admin account with a strong password, or else delete all users
with psql and then run netdisco-deploy.
regards
oliver.
On Wed, 30 Jul 2025 at 15:32, Dean, Barry <b.d...@liverpool.ac.uk> wrote:
>
> - Now, you mentioned "default account" so I just want to check whether
> you're also using the suggest_guest or no_auth features. If so, the above
> might not all apply. Do let me know and we can explore further.
>
> By “default account” I mean the one you get by default, which as you say
> will be created by netdisco-deploy.
>
>
>
> suggest_guest is not in my deployments.yml and “no_auth” appears
> commented out as “#no_auth: false”.
>
>
>
> The theory goes that because “admin” has write/change access to something
> (anything) it should be governed by strict controls.
>
>
>
> *Thanks*
>
> *Barry Dean*
>
> *Network Analyst Team Leader*
>
>
>
> *From:* Oliver Gorwits <oli...@cpan.org>
> *Sent:* 29 July 2025 18:45
> *To:* Dean, Barry <b.d...@liverpool.ac.uk>;
> netdisco-users@lists.sourceforge.net
> *Subject:* Re: [Netdisco] Local admin account
>
>
>
> *CAUTION: *This email originated outside of the University. Do not click
> links unless you can verify the source of this email and know the content
> is safe. Check sender address, hover over URLs, and don't open suspicious
> email attachments.
>
>
>
> Hi Barry
>
>
>
> Great question! I reckon you should be fine with the policy and Netdisco.
> The admin account is only used by humans in the web interface. Here are
> some notes, to help:
>
>
>
> The netdisco-deploy script checks for the existence of one account with
> admin privileges and will nag to create one if missing. So, you can't
> remove it (or you can, but will be nagged by netdisco-deploy next time you
> upgrade). Submit a feature ticket if you want to make the nagging optional;
> we could have a setting to override.
>
>
>
> The name "admin" is not special. You can have users with admin privileges
> called anything, and indeed assign admin privileges to any account(s).
>
>
>
> Yes you should be able to have an account with admin privileges via
> TACACS+ as you need to create the accounts in netdisco matching the TACACS+
> accounts anyway - just add the admin rights checkbox. For recovery you
> could run netdisco-deploy which will allow creation of a new local account
> with admin privilege.
>
>
>
> Now, you mentioned "default account" so I just want to check whether
> you're also using the suggest_guest or no_auth features. If so, the above
> might not all apply. Do let me know and we can explore further.
>
>
>
> And finally just to say again: Netdisco itself, for all scheduled jobs and
> netdisco-do, doesn't use any of the user accounts. They are simply for the
> web.
>
>
>
> Hope this helps,
>
>
>
> Oliver.
>
>
>
> On Tue, 29 Jul 2025 at 17:32, Dean, Barry via netdisco-users <
> netdisco-users@lists.sourceforge.net> wrote:
>
> I am being asked to implement a strict password policy on any local admin
> accounts. I am wondering how I can do this with the default built-in admin
> account on NetDisco.
>
>
>
> It’s the only local account we have; all others use TACACS+.
>
>
>
> 1. Can I rename the default account?
> 2. Can I disable or delete the default admin account?
> 3. Can I make the default account use TACACS+? Obviously for recovery
> if TACACS+ was ever down, we’d have a problem..
>
>
>
> Password policy would be all the usual… Length, complexity, history,
> expiry etc. Obviously not needed if the local account is made non-local or
> deleted!
>
>
>
> Barry Dean
>
> Network Team, University of Liverpool
>
>
>
> _______________________________________________
> Netdisco mailing list
> netdisco-users@lists.sourceforge.net
> https://sourceforge.net/p/netdisco/mailman/netdisco-users/
>
>
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
netdisco-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netdisco-users
