Creating a Privilege Class that Hides Encrypted Passwords

Problem

You need to have all permissions on the router but you don't want to have all of the encrypted passwords displayed.

Solution

Create a new class that explicitly includes all the permission bits except for control and secret:

	[edit system login]
	aviva@router1# set class power-user permissions [ admin admin-control clear configure
	field floppy interface interface-control network reset routing routing-control shell
	snmp snmp-control system system-control trace trace-control view maintenance firewall
	firewall-control 
secret-control rollback security security-control access access-control
	view-configuration ]

 

Discussion

Many network operators like to trim shared secrets and other encrypted data out of their configurations before sharing the configurations with others. The JUNOS software uses the secret permission bit to control viewing access to the passwords and the secret-control permission bit to control setting them. This recipe still allows shared secrets and passwords to be set on the router, but the values are not shown, copied, or saved (using the configuration mode save command) by the user during normal operations.

Password and secret settings are, of course, still preserved with the commit operation, however, and the full configuration with secret data included is still accessible to the user by virtue of the maintenance permissions.


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net