Junos
Highlighted
Junos

how to use system login class super-user-local confirm-commands

‎06-02-2019 02:21 AM

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/confirm-c...

set system login class super-user-local confirm-commands?

confirm-commands List of commands to be confirmed explicitly

 

Statement introduced in Junos OS Release 16.1R1.

Description

To define commands to have a confirmation from the users before execution.

 

 

can anyone give me an example of confirm-comands configuration? how to use this configuration? I do not understand it well. thanks so much 

4 REPLIES 4
Junos
Solution
Accepted by topic author xinhui jiang
‎06-02-2019 06:52 PM

Re: how to use system login class super-user-local confirm-commands

[ Edited ]
‎06-02-2019 10:26 AM

Hi Xinhui,

 

Please refer the cli definition of confirm-commands knob:

 

#set system login class test ?

<snip>

> confirm-commands List of commands to be confirmed explicitly

 

As the cli definition suggests "confirm-commands" knob will help you to double confirm some commands before you actually commit/execute them.

 

Please refer following example it will make things clear for you:

 

test@chaos-re1> show configuration system login class test

permissions all;

confirm-commands request  {   

       confirm-request;                  

}

 

I want to double check before executing any commands that contains "request", you can use any regex.

 

test@chaos-re1> show configuration system login user test

uid 2002;

class test;

authentication {

        encrypted-password "$1$w9JT/1qk$wqUJrXn/j7jA03AzqxmTf/"; ## SECRET-DATA

}

 

test@chaos-re1> request chassis fpc slot 2 offline

confirm-request [yes,no] (no) no

 

test@chaos-re1# run request system storage cleanup

confirm-request [yes,no] (no) no

 

If this solves your question, please accept it as solution.

 

Thanks & Regards

Vishal Singh

Junos

Re: how to use system login class super-user-local confirm-commands

‎06-02-2019 07:14 PM

can give me an example of configuration confirm-command? 

I tested it not work.

 

set system login class super-user-local confirm-commands firewall
set system login class super-user-local confirm-commands "set firewall .*"

 

I want to edit firewall configuration for double confirm. thanks so much

Junos

Re: how to use system login class super-user-local confirm-commands

‎06-03-2019 09:19 AM

Hi Xinhui,

Some commands when executed might have big impact in the network, such as:

 

clear ospf database

request fpc offline

restart routing

 

confirm-commands knob helps the user decide which commands are catastrophic and require explicit confirmation.

 

This knob doesn't work with intentional configuration changes (set commands). With configuration change (set commands) user already has rollback and commit confirm options to bring the device back into original state.

 

If I add following configuiration in the example I had shared in previous reply, the clear firewall will ask to confirm but set firewall will still work

 

set system login class test confirm-commands firewall confirm-before-change-in-firewall

 

test@chaos-re1# run clear firewall all

confirm-before-change-in-firewall [yes,no] (no) no

 

test@chaos-re1# set firewall family inet filter test101 term 1 then accept

test@chaos-re1# commit

commit complete

 

Hope that makes things clear

Thanks & Reagrds

Vishal Singh

Junos

Re: how to use system login class super-user-local confirm-commands

‎06-03-2019 11:08 PM

ok, thanks so much