[j-nsp] read-only config account, "rancid" user

Stacy W. Smith stacy at acm.org
Thu Feb 4 13:12:29 EST 2010


How 'bout this:

rancid at breakme> show configuration system 
login {
    class rancid {
        permissions view-configuration;
        allow-commands "show configuration.*|quit";
        deny-commands .*;
    }
    user rancid {
        uid 2003;
        class rancid;
        authentication {
            encrypted-password /* SECRET-DATA */; ## SECRET-DATA
        }
    }
}

rancid at breakme> ?
Possible completions:
  quit                 Exit the management session
  show                 Show system information
rancid at breakme> show ?
Possible completions:
  configuration        Show current configuration
rancid at breakme> show configuration ?
Possible completions:
  <[Enter]>            Execute this command
> access               Network access configuration
> accounting-options   Accounting data configuration
> applications         Define applications by protocol characteristics
+ apply-groups         Groups from which to inherit configuration data
> chassis              Chassis configuration
> class-of-service     Class-of-service configuration
> firewall             Define a firewall configuration
> forwarding-options   Configure options to control packet forwarding
> groups               Configuration groups
> interfaces           Interface configuration
> logical-systems      Logical systems
> policy-options       Routing policy option configuration
> protocols            Routing protocol configuration
> routing-instances    Routing instance configuration
> routing-options      Protocol-independent routing option configuration
> security             Security configuration
> services             Service PIC applications settings
> snmp                 Simple Network Management Protocol configuration
> system               System parameters
  |                    Pipe through a command
rancid at breakme>

--Stacy


On Feb 4, 2010, at 10:14 AM, matthew zeier wrote:

> Not clear how to create a dumbed down read-only user who can just view the config.  
> 
> In a Cisco world I'd use "privilege exec level" .  In JunOS, a read-only class can't run "show configuration".
> 
> What's the nugget of info I'm missing?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list