read only access to router via ssh

Can you tell me how to setup a user account on a cisco router so that he will only have read only access via SSH

thanks
FREDARCEAsked:
Who is Participating?
 
rochey2009Commented:
At a basic level - all you need is:

aaa new-model

some versions of IOS don't allow the secret option for the username password encryption. If not then you'll have to use the cleartext version.

username <Username> privilege 1 secret <password>

or

username <Username> privilege 1 password <password>

You can also extend the privilege level using "privilege exec" and "privilege configure" to give access to features not available at a particular level.


0
 
John MeggersNetwork ArchitectCommented:
Have to use command authorization.   The user has to be authenticated and then they're assigned a "level".  Command authorization is used to authorize commands at various levels.  In your case, you'd allow 'show run" but not "config  term".  See http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html
0
 
DvonHoltzCommented:
I agree with rochey2009 on the commands, just a quick note on privilege levels

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
    privilege level 15 — Includes all enable-level commands at the router# prompt.

Also if you use "password <password>" ensure you use "service password-encryption" or all passwords will be plain text. also be aware that there are a lot of websites that can crack passwords done in this way. If security of passwords is important, than always use  "service password-encryption" and "username <Username> privilege <X> secret <password>"  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.