Configure the Ops Account | JNCIP: Juniper Networks Certified Internet Professional Study Guide

You will now configure a user called ops that is only authorized to view the output of show interfaces and conduct ping testing.

The commands in Listing 1.2 configure the ops account and display the resulting configuration:

Listing 1.2: Commands for Configuring the Ops Account

[edit system login] root@r1# set user ops class ops authentication plain-text-password New password: Retype new password: [edit system login] root@r1# set class ops permissions network [edit system login class] root@r1# set ops idle-timeout 5 [edit system login class] root@r1# set ops allow-commands "show interfaces $"  [edit system login class] root@r1# set ops deny-commands "traceroute|telnet|ssh" [edit system login class] root@r1# up [edit system login] root@r1# show user ops uid 2002; class ops; authentication {    encrypted-password "$1$SgJQQ$VYXXLPf9/TMOnb2ohWxOJ."; # SECRET-DATA  } [edit system login] root@r1# show class ops idle-timeout 5; permissions network; allow-commands "show interfaces"; deny-commands "traceroute|telnet|ssh";

Note

Because these user account requirements involve custom settings of login class permissions, care should be taken to avoid the use of the predefined login classes (operator, read-only, superuser, and unauthorized). The parameters associated with these accounts cannot be modified. Depending on the JUNOS software version being used, you may be allowed to configure customized settings for the predefined login classes, but these changes will not actually have any effect on their default permissions.

This configuration example illustrates one possible solution to the ops account restrictions as specified in this example. In this case, we begin with a login class that contains only the network permission, which, by default, allows only access to the ping, telnet, traceroute, and SSH commands. Because the ops user should have access only to the ping utility, the deny-commands option was used with a regular expression to explicitly deny access to the telnet, traceroute, and SSH commands. In a similar fashion, the allow-commands option was included in the ops class to explicitly permit the use of the show interfaces command. Further, the nature of this allow- commands regular expression will not allow arguments such as detail or terse with the show interfaces command, so the ops user will be able to issue only the standard show interfaces command. In contrast, specifying show interfaces$ as the regular expression for allowed commands will provide access to the full range of options supported by the show interfaces command.

Verify the Ops Account

To confirm the ops login and account permissions, we log in as ops and verify that we have access to the standard show interfaces and ping commands. Listing 1.3 shows you this sequence. Based on the results shown in Listing 1.3, you can see that all the account restrictions for the ops user have been met.

Listing 1.3: Verify Ops Account Permissions

ops@r1> show ? Possible completions:  host             Host name lookup service using domain name server  interfaces       Show interface information ops@r1> show interfaces Physical interface: fe-0/0/0, Enabled, Physical link is Down  Interface index: 10, SNMP ifIndex: 13  Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, . . . ops@r1> show interfaces fxp0 detail error: permission denied for interfaces: detail ops@r1> ping 10.0.1.102 PING 10.0.1.102 (10.0.1.102): 56 data bytes 64 bytes from 10.0.1.102: icmp_seq=0 ttl=255 time=0.560 ms ^C  --- 10.0.1.102 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.560/0.560/0.560/0.000 ms ops@r1> tra           ^  unknown command. ops@r1> tel           ^ unknown command. ops@r1>