[j-nsp] R: [j-nsp] class permission problem

• Next message: Przemyslaw Karwasiecki: "RE: [j-nsp] BGP advertise-inactive"
• Previous message: Paul Goyette: "RE: [j-nsp] FW: [BGP advertise-inactive [9:608]] crosspost"
• In reply to: Stephen Gill: "Re: [j-nsp] class permission problem"
• Next in thread: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Reply: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Reply: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Ok, my previuos mail was a little confused. I try to explain.

idle-timeout is a different problem from what i'm trying to do.

i create this config

system {
    }
    login {
        class labuser {
            idle-timeout 30;
            permissions [ clear configure control field floppy interface
interface-control network reset routing routing-control shell snmp
snmp-control system system-control trace trace-control view maintenance
firewall firewall-control secret secret-control rollback ];

/* every permission except 'admin' 'admin-control'*/

        }
        user juniper {
            uid 2002;
            class labuser;
            authentication {
                encrypted-password "$1$TCPMb$PhlaybNr.MWLPR5XXKK.Y0"; #
SECRET-DATA
            }

i commit it, after i logon with user juniper (that belong to class labuser
and don't have 'admin' and 'admin-control' rights) then i try to change the
class of user juniper from labuser to superuser.

juniper@M20-LAB> edit
Entering configuration mode

[edit]
juniper@M20-LAB# set system login user juniper class super-user

[edit]
juniper@M20-LAB# commit and-quit
commit complete
Exiting configuration mode

juniper@M20-LAB> exit

M20-LAB (ttyd0)

login: juniper
Password:
Last login: Mon Jun 18 14:50:49 on ttyd0

--- JUNOS 4.4R2.3 built 2001-05-30 00:57:00 UTC

juniper@M20-LAB> show configuration
version 4.4R2.3;
system {
    }
    login {
        class labuser {
            idle-timeout 30;
            permissions [ ...... ];
        }
        user juniper {
            uid 2002;
            class super-user;

/*
With much surprise it work and no error massage or deny received.
from documentation on permission

permissions

Hierarchy Level
[edit system login class]

Required Privilege Level
> admin--To view this statement in the configuration.
> admin-control--To add this statement to the configuration.

but this priviledge level are not assigned to class labuser so i couldn't do
it.

this is my doubt.

Stefano
>
> It doesn't appear as if you're using the class you've defined
> (labuser)
> for user Juniper. Also keep in mind that you can't modify the builtin
> classes. To creat a superuser account with idle-timeouts,
> you could do
> the following for class administrator & user admin:
>
> [system login]
> /* Cannnot modify the predefined classes, so we must create
> our own. */
> class administrator {
> /* Session will time out after 15 minutes of inactivity */
> idle-timeout 15;
> permissions all;
> }
> /* This is our superuser account */
> user admin {
> full-name Administrator;
> uid 2000;
> class administrator;
> authentication {
> encrypted-password "<PASSWORD>"; # SECRET-DATA
> }
> }
>
> -- steve

• Next message: Przemyslaw Karwasiecki: "RE: [j-nsp] BGP advertise-inactive"
• Previous message: Paul Goyette: "RE: [j-nsp] FW: [BGP advertise-inactive [9:608]] crosspost"
• In reply to: Stephen Gill: "Re: [j-nsp] class permission problem"
• Next in thread: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Reply: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Reply: Stephen Gill: "Re: [j-nsp] R: [j-nsp] class permission problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT