[c-nsp] How to easily and securely pull configuration from a PIX/ASA
Tassos Chatzithomaoglou
achatz at forthnet.gr
Fri Dec 7 11:51:53 EST 2007
Justin Shore wrote on 7/12/2007 5:26 μμ:
> Marc Haber wrote:
>> On Thu, Dec 06, 2007 at 09:03:39PM +0000, Thorsten Dahm wrote:
>>> Marc Haber wrote:
>>>> Which access privileges would RANCID need, and how far can the RANCID
>>>> account be restricted?
>>> The same as any user who is able to to a "sh run".
>> Which access privileges are needed to do a "sh run"?
>
> sh run gives you the nuts and bolts of the system, the most important
> and sensitive information. That implies the highest privilege level
> possible. Like others have said you could grant sh run access to lower
> privs but all users that have access to that lower priv or higher will
> have access to that command unless you use TACACS and authorization.
"sh run" is a special case and cannot be used like this. If you move it to level 1, then a user of
level 1 will be able to see only the part of the config which he can configure with that
level...which means nothing! You have to change the priv level of all the configure commands that
are used in the config to the same level as the user.
--
Tassos
More information about the cisco-nsp
mailing list