[j-nsp] NETCONF in Junos

Phil Shafer phil at juniper.net
Thu Dec 24 03:36:13 EST 2015


Stepan Kucherenko writes:
>Sometimes it does strange stuff with SSH internally though. Example:
>
>Let's say I do " show route table ?" at a router.
>
>Logs show:
>
>mgd[62935]: UI_CHILD_START: Starting child '/bin/sh'
>mgd[68498]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
>mgd[68498]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [68498], ssh-connectio
>n '<my PC address> 60259 <router address> 22', client-mode 'cli'
>mgd[68498]: UI_CMDLINE_READ_LINE: User 'root', command 'show route summary | display xml
> | grep table-name '
>mgd[68498]: UI_LOGOUT_EVENT: User 'root' logout
>mgd[62935]: UI_CHILD_STATUS: Cleanup child '/bin/sh', PID 68494, status 0
>
>Obviously I don't login under root, but somehow my CLI spawns a shell, then sshes to its
>elf under root (?) using my credentials (?) to do a single command. Then it logs out. Ev
>ery time I request something about route tables.

Looks like an implementation issue.  Our UI infrastructure allows
our programmers to define completion functions to list acceptable
values.  Some schmuck's coded the completion function as this "sh -c show
route summary| ..." command.

This is definitely not typical.  More typically, we run something like
"ifinfo -n" or look at internal MGD info.  This completion for the "table"
argument is just some suboptimal code.

Note that the ssh-connection information being logged does not mean
that we're invoking a new ssh session, just that we're reporting
the current info.

Thanks,
 Phil


More information about the juniper-nsp mailing list