Solved

read only access to router via ssh

Posted on 2011-09-23
3
360 Views
Last Modified: 2012-08-14
Can you tell me how to setup a user account on a cisco router so that he will only have read only access via SSH

thanks
0
Comment
Question by:FREDARCE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589030
Have to use command authorization.   The user has to be authenticated and then they're assigned a "level".  Command authorization is used to authorize commands at various levels.  In your case, you'd allow 'show run" but not "config  term".  See http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 250 total points
ID: 36592166
At a basic level - all you need is:

aaa new-model

some versions of IOS don't allow the secret option for the username password encryption. If not then you'll have to use the cleartext version.

username <Username> privilege 1 secret <password>

or

username <Username> privilege 1 password <password>

You can also extend the privilege level using "privilege exec" and "privilege configure" to give access to features not available at a particular level.


0
 
LVL 1

Assisted Solution

by:DvonHoltz
DvonHoltz earned 250 total points
ID: 36593006
I agree with rochey2009 on the commands, just a quick note on privilege levels

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
    privilege level 15 — Includes all enable-level commands at the router# prompt.

Also if you use "password <password>" ensure you use "service password-encryption" or all passwords will be plain text. also be aware that there are a lot of websites that can crack passwords done in this way. If security of passwords is important, than always use  "service password-encryption" and "username <Username> privilege <X> secret <password>"  
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question