Solved

read only access to router via ssh

Posted on 2011-09-23
3
361 Views
Last Modified: 2012-08-14
Can you tell me how to setup a user account on a cisco router so that he will only have read only access via SSH

thanks
0
Comment
Question by:FREDARCE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589030
Have to use command authorization.   The user has to be authenticated and then they're assigned a "level".  Command authorization is used to authorize commands at various levels.  In your case, you'd allow 'show run" but not "config  term".  See http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 250 total points
ID: 36592166
At a basic level - all you need is:

aaa new-model

some versions of IOS don't allow the secret option for the username password encryption. If not then you'll have to use the cleartext version.

username <Username> privilege 1 secret <password>

or

username <Username> privilege 1 password <password>

You can also extend the privilege level using "privilege exec" and "privilege configure" to give access to features not available at a particular level.


0
 
LVL 1

Assisted Solution

by:DvonHoltz
DvonHoltz earned 250 total points
ID: 36593006
I agree with rochey2009 on the commands, just a quick note on privilege levels

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
    privilege level 15 — Includes all enable-level commands at the router# prompt.

Also if you use "password <password>" ensure you use "service password-encryption" or all passwords will be plain text. also be aware that there are a lot of websites that can crack passwords done in this way. If security of passwords is important, than always use  "service password-encryption" and "username <Username> privilege <X> secret <password>"  
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question