Ethernet Switching
Ethernet Switching

How should I configure to protect serial console access ?

02.28.11   |  
‎02-28-2011 01:47 AM

I don't want every account can access serial console even the account is in super-user class.
How should I configure to protect serial console access ?

 

Sorry for my English and thanks for your assistance.

2 REPLIES
Ethernet Switching

Re: How should I configure to protect serial console access ?

[ Edited ]
03.01.11   |  
‎03-01-2011 01:58 AM

Hello,

Probably not what you are directly asking for but you can have an event policy which automatically logs out a specific user/users from console.

The trigger/syslog message to act on is this:

 

 

Mar  1 10:48:41  router login: %AUTH-6-LOGIN_INFORMATION: User aarseniev logged in from host 172.26.2.1 on device ttyd0

 

 

You have to match on user name and device name, in case of M/T/MX product console the device name is ttyd0, in case of EX product the console device name is ttyu0.

The command to log out a user from console is

 

 

request system logout terminal u0 ## for EX
request system logout terminal d0 ## for M/T/MX

 

EDIT:

I quickly tested and the following event-policy immediately logs out user "aarseniev" from console on M-series box, JUNOS 10.4R2. Replace ttyd0 with ttyu0 for EX:

 

 

aarseniev@labrouter> show configuration event-options    
policy LGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyd0;
        login_information.username matches aarseniev;
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyd0";
            }
        }
    }
}

 

 

 

HTH

Rgds

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Ethernet Switching

Re: How should I configure to protect serial console access ?

[ Edited ]
03.03.11   |  
‎03-03-2011 01:24 PM

Does not work for more the one user:

 

test@exA-1> show configuration event-options
policy LOGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches bla;
        login_information.username matches test;
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}

Because each statement must match - one has to create a single event-statement for each user or use regex:

 

 

lab@exA-1> show configuration event-options
policy LOGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches "bla|test";
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}

 

 

And I found another one. You can match against a negative statement:

SRX100:
{primary:node0}
root@oben> show configuration event-options 
policy LGOUT {
    events login_information;
    attributes-match {
        login_information.tty-name matches ttyu0;
        login_information.username matches "!root";
    }
    then {
        execute-commands {
            commands {
                "request system logout terminal ttyu0";
            }
        }
    }
}