[c-nsp] How to easily and securely pull configuration from a PIX/ASA

Thorsten Dahm t.dahm at resolution.de
Fri Dec 7 08:48:39 EST 2007


Marc Haber wrote:
> On Thu, Dec 06, 2007 at 09:03:39PM +0000, Thorsten Dahm wrote:
>> Marc Haber wrote:
>>> Which access privileges would RANCID need, and how far can the RANCID
>>> account be restricted?
>> The same as any user who is able to to a "sh run".
> 
> Which access privileges are needed to do a "sh run"?

per default IIRC level 15.

>>> The administrators of the boxes are not very
>>> keen on handing out unrestricted privilege 15 accounts to automated
>>> processes.
>> They may can restrict the user to the "sh run" command only.
> 
> Is it possible to authenticate through a ssh key, and is it possible
> to restrict a key to be only accepted from one single IP address?

I think Gert is right, Cisco can't do that. You could use AAA and TACACS 
to only allow a specific user to execute 1 command, or you lower the 
privilege level needed for a sh run with this command:

privilege exec level 1 show running

But this is than global for this device, so every user with privilege 1 
could do a sh run in this example.

cheers,
Thorsten


More information about the cisco-nsp mailing list