[c-nsp] "reload" command doesn't check command line parameters
Sigurbjörn Birkir Lárusson
sigurbjornl at vodafone.is
Tue Oct 8 07:22:40 EDT 2013
I think the best solution here is tacacs+ with command authorization where
reload in X is allowed, but all other forms are not, forcing you to
authenticate as a higher privilege user to be able to do that, that way
tacacs+ will simply prevent you from making a mistake.
This is also highly preferable for many other things (switchport trunk
allowed vlan X instead of switchport trunk allowed vlan add X springs to
mind)
Kind regards,
Sibbi
On 8.10.2013 10:55, "Saku Ytti" <saku at ytti.fi> wrote:
>On (2013-10-08 10:57 +0200), Sander Steffann wrote:
>
>> > The two outputs do have different warnings:
>> >
>> > reload reason:
>> > ===========================
>> > Router#reload
>> > Proceed with reload? [confirm]
>> > ===========================
>>
>> If this warning would be changed to:
>> ===========================
>> Router#reload int 5
>> Proceed with IMMEDIATE reload? [confirm]
>> ===========================
>>
>> Then it would be much clearer.
>
>Implication here is, you made typo in the original command and you are
>aware
>of it. I guess if you are aware of the typo, you didn't make it.
>If you are not aware of the typo you made, you'll just punch the 'y' from
>muscle memory without looking at the display.
>
>I don't think it would actually help. What does help, is taking humans
>our of
>the equation as much as possible. Break network less often but more
>thoroughly
>through automation.
>
>--
> ++ytti
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list