[j-nsp] ERX1440, how to limit login to be able to "show conf" only

Scott Weeks surfer at mauigateway.com
Mon Jul 14 15:28:31 EDT 2008


--------------------------------------------------
--------- sj_hznm at yahoo.com.cn wrote: ------------
From: Joe Shen <sj_hznm at yahoo.com.cn>

thanks , I tried with the script  it works.

but security problem still exists.

>  I mean,  if someone get login password and enable
> password, he could do anything he want. So, on
> ERX1440, the  account should be restricted to ONLY
> to fecth configuration or show interface status.
> ----------------------------------
> 
> The passwords are encrypted:
> 
>  password 5 1k8ObM~O#Y.c.G!8_EH&
> 
> enable password level 10 7 yWZ at g~Xq<qF|P!R=Pg4n

the above solution just confirm that people will not
get password by looking at configuration file.

But, the script itself has clear text password
included. People could  get password by looking at
script....

Is there any way to set up priviledge ability on E320?
----------------------------------------------------------
----------------------------------------------------------


There is a security risk if you don't lock down the directory where the PERL program is located.  Set permissions that will allow only those who have enable to get into the directory where the program is located.  That's why I said this:


"The main concern for some folks will be that the password is in clear 
text on the Unix server where the PERL programs reside (since most folks 
here are Micro$loth people, I don't have to worry too much... :-)  If 
that's a concern, be sure to lock down the directory where the .pl 
programs reside very well."


If you lock down the directory where the program is and allow all others access to the directory where the backups are, you can mitigate this security risk because the backups have the encrypted passwords.



scott











































-----------------------------


More information about the juniper-nsp mailing list