Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

read only access to router via ssh

Posted on 2011-09-23
3
Medium Priority
?
365 Views
Last Modified: 2012-08-14
Can you tell me how to setup a user account on a cisco router so that he will only have read only access via SSH

thanks
0
Comment
Question by:FREDARCE
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36589030
Have to use command authorization.   The user has to be authenticated and then they're assigned a "level".  Command authorization is used to authorize commands at various levels.  In your case, you'd allow 'show run" but not "config  term".  See http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 1000 total points
ID: 36592166
At a basic level - all you need is:

aaa new-model

some versions of IOS don't allow the secret option for the username password encryption. If not then you'll have to use the cleartext version.

username <Username> privilege 1 secret <password>

or

username <Username> privilege 1 password <password>

You can also extend the privilege level using "privilege exec" and "privilege configure" to give access to features not available at a particular level.


0
 
LVL 1

Assisted Solution

by:DvonHoltz
DvonHoltz earned 1000 total points
ID: 36593006
I agree with rochey2009 on the commands, just a quick note on privilege levels

    privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
    privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
    privilege level 15 — Includes all enable-level commands at the router# prompt.

Also if you use "password <password>" ensure you use "service password-encryption" or all passwords will be plain text. also be aware that there are a lot of websites that can crack passwords done in this way. If security of passwords is important, than always use  "service password-encryption" and "username <Username> privilege <X> secret <password>"  
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question