Ethernet Switching
Reply
Contributor
lancelot0518
Posts: 35
Registered: ‎08-11-2010
0

How should I configure to protect serial console access ?

I don't want every account can access serial console even the account is in super-user class.
How should I configure to protect serial console access ?

 

Sorry for my English and thanks for your assistance.

Distinguished Expert
aarseniev
Posts: 1,726
Registered: ‎08-21-2009

Re: How should I configure to protect serial console access ?

[ Edited ]

Hello,

Probably not what you are directly asking for but you can have an event policy which automatically logs out a specific user/users from console.

The trigger/syslog message to act on is this:

 

 

Mar  1 10:48:41  router login: %AUTH-6-LOGIN_INFORMATION: User aarseniev logged in from host 172.26.2.1 on device ttyd0

 

 

You have to match on user name and device name, in case of M/T/MX product console the device name is ttyd0, in case of EX product the console device name is ttyu0.

The command to log out a user from console is

 

 

request system logout terminal u0 ## for EX
request system logout terminal d0 ## for M/T/MX

 

EDIT:

I quickly tested and the following event-policy immediately logs out user "aarseniev" from console on M-series box, JUNOS 10.4R2. Replace ttyd0 with ttyu0 for EX:

 

 

aarseniev@labrouter> show configuration event-options    
policy LGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyd0;
        login_information.username matches aarseniev;
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyd0";
            }
        }
    }
}

 

 

 

HTH

Rgds

Alex

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
NumPad
Posts: 10
Registered: ‎02-26-2011
0

Re: How should I configure to protect serial console access ?

[ Edited ]

Does not work for more the one user:

 

test@exA-1> show configuration event-options
policy LOGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches bla;
        login_information.username matches test;
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}

Because each statement must match - one has to create a single event-statement for each user or use regex:

 

 

lab@exA-1> show configuration event-options
policy LOGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches "bla|test";
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}

 

 

And I found another one. You can match against a negative statement:

SRX100:
{primary:node0}
root@oben> show configuration event-options 
policy LGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches "!root";
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.