Within this article we will provide the necessary commands required to create a read-only account on a Juniper SRX. Within our example a user is created with the following attributes,
- A user with the username of ‘user1‘.
- ONLY allowed to use the show command.
- SNMP configuration is REMOVED from the configuration output.
- The policy-options and security address-book output is REMOVED from the configuration output.
Configuration
The configuration is pretty simple. A class is first created which defines what the user can do. Finally a user is then created and the class assigned.
Here is a breakdown of the class,
- permissions – defines what contexts the user is allowed permission to. In this case it is everything other then SNMP.
- allow-commands – defines what commands the user is permitted to perform under the contexts.
- deny-commands – defines what commands the user is not permitted to perform under the contexts
- deny-configuration – defines what configuration is excluded from the configuration output. i.e actual address books could be excluded via deny-configuration “(security address-book global address-set MGMT-IPS)”;
login {
class user1 {
permissions [ admin interface routing security system ];
allow-commands show;
deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)
|(set)|(start)|(user1)";
deny-configuration "(policy-options)|(security address-book)";
}
user user1 {
uid 2007;
class user1;
authentication {
encrypted-password "$1$u.5scwBy$wzCJgOIqu8LvIjB9CJco70"; ## SECRET-DATA
}
}
}Commands
The actual commands to configure the above are shown below,
set system login class user1 permissions admin set system login class user1 permissions interface set system login class user1 permissions routing set system login class user1 permissions security set system login class user1 permissions system set system login class user1 allow-commands show set system login class user1 deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor) |(op)|(request)|(save)|(set)|(start)|(user1)" set system login class user1 deny-configuration "(policy-options)|(security address-book)" set system login user user1 uid 2007 set system login user user1 class user1 set system login user user1 authentication plain-text-password // prompts you to enter password
Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.
Latest posts by Rick Donato (see all)
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial