Mailing List Archive

isn't it

allow-commands "(^show route|^quit)";
deny-commands .*;

instead of

isn't it allow-commands "(^show route|quit)";
deny-commands .*;

R/
Mourad


-----Message d'origine-----
De : Nicolas Fevrier [mailto:nicolas.fevrier@telindus.fr]
Envoy? : lundi 28 juillet 2003 14:24
? : juniper@groupstudy.com
Cc : juniper-nsp@puck.nether.net
Objet : [j-nsp] allow-command question


Hi group,

I'm having some trouble configuring restricted commands with
a user class : I would like to define a class that allows
only "show route..." and "quit".
I managed to make this working with :

class VIEW_ROUTE {
idle-timeout 3;
permissions view;
allow-commands "^show route";
deny-commands "^file|^help|^request|^set|^show|^test"

viewer_route@PARIS> show ?
Possible completions:
route Show routing table information
viewer_route@PARIS> ?
Possible completions:
quit Exit the management session
show Show information about the system
viewer_route@PARIS>


Considering the command line could change with a future junos upgrade,
I would like to deny "everything" then only allow this particular
commands "show route" or "quit".

class VIEW_ROUTE {
idle-timeout 3;
permissions view;
allow-commands "(^show route|quit)";
deny-commands .*;
}

viewer_route@PARIS> ?
Possible completions:
show Show information about the system
viewer_route@PARIS> show ?
Possible completions:
route Show routing table information
viewer_route@PARIS> quit
^
unknown command.

viewer_route@PARIS>

It's prolly a basic regex mistake but I can't make it working
properly... I tried :
"(show route | quit)", "show route | quit", "show route|quit"...
with no success...

Any idea where I'm wrong ?

Cheers,

Nicolas.





_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030728/67700edb/attachment.htm

Hi Mourad :))

Nop, it doesn't make any noticeable difference (quit or "everything
beginning
with quit")

class VIEW_ROUTE {
idle-timeout 3;
permissions view;
allow-commands "(^show route|^quit)";
deny-commands .*;
}

viewer_route@PARIS> ?
Possible completions:
show Show information about the system
viewer_route@PARIS> quit
^
unknown command.
viewer_route@PARIS>

Rgds,

Nicolas.

# isn't it
# allow-commands "(^show route|^quit)";
# deny-commands .*;
# instead of
# isn't it allow-commands "(^show route|quit)";
# deny-commands .*;
# R/
# Mourad

I ran into this a few weeks back in the lab. What I ended up doing was
ctrl+] and quit. Perhaps not the best or cleanest way to do it but it
works.



Thanks,

Mario Puras
SoluNet Technical Support
Mailto: mpuras@solunet.com
Direct: (321) 309-1410
888.449.5766 (USA) / 888.SOLUNET (Canada)



>-----Original Message-----
>From: Nicolas Fevrier [mailto:nicolas.fevrier@telindus.fr]
>Sent: Monday, July 28, 2003 10:14 AM
>To: Mourad BERKANE; Nicolas Fevrier
>Cc: 'juniper-nsp@puck.nether.net'
>Subject: RE: [j-nsp] allow-command question
>
>
>Hi Mourad :))
>
>Nop, it doesn't make any noticeable difference (quit or "everything
>beginning
>with quit")
>
>class VIEW_ROUTE {
> idle-timeout 3;
> permissions view;
> allow-commands "(^show route|^quit)";
> deny-commands .*;
>}
>
>viewer_route@PARIS> ?
>Possible completions:
> show Show information about the system
>viewer_route@PARIS> quit
> ^
>unknown command.
>viewer_route@PARIS>
>
>Rgds,
>
>Nicolas.
>
># isn't it
># allow-commands "(^show route|^quit)";
># deny-commands .*;
># instead of
># isn't it allow-commands "(^show route|quit)";
># deny-commands .*;
># R/
># Mourad
>
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>

allow-commands "(show route)|(quit)";


At 04:13 PM 7/28/2003 +0200, Nicolas Fevrier wrote:
>Hi Mourad :))
>
>Nop, it doesn't make any noticeable difference (quit or "everything
>beginning
>with quit")
>
>class VIEW_ROUTE {
> idle-timeout 3;
> permissions view;
> allow-commands "(^show route|^quit)";
> deny-commands .*;
>}
>
>viewer_route@PARIS> ?
>Possible completions:
> show Show information about the system
>viewer_route@PARIS> quit
> ^
>unknown command.
>viewer_route@PARIS>
>
>Rgds,
>
>Nicolas.
>
># isn't it
># allow-commands "(^show route|^quit)";
># deny-commands .*;
># instead of
># isn't it allow-commands "(^show route|quit)";
># deny-commands .*;
># R/
># Mourad
>
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp

IMHO, you should never disallow quit.

ie: juniper should make it always available.

- jared

On Mon, Jul 28, 2003 at 04:36:09PM +0200, Anton Bernal wrote:
>
> allow-commands "(show route)|(quit)";
>
>
> At 04:13 PM 7/28/2003 +0200, Nicolas Fevrier wrote:
> >Hi Mourad :))
> >
> >Nop, it doesn't make any noticeable difference (quit or "everything
> >beginning
> >with quit")
> >
> >class VIEW_ROUTE {
> > idle-timeout 3;
> > permissions view;
> > allow-commands "(^show route|^quit)";
> > deny-commands .*;
> >}
> >
> >viewer_route@PARIS> ?
> >Possible completions:
> > show Show information about the system
> >viewer_route@PARIS> quit
> > ^
> >unknown command.
> >viewer_route@PARIS>
> >
> >Rgds,
> >
> >Nicolas.
> >
> ># isn't it
> ># allow-commands "(^show route|^quit)";
> ># deny-commands .*;
> ># instead of
> ># isn't it allow-commands "(^show route|quit)";
> ># deny-commands .*;
> ># R/
> ># Mourad
> >
> >
> >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.

I've tried this one too :)

# De: Anton Bernal [mailto:abernal@bigfoot.com]
# allow-commands "(show route)|(quit)";

user toto {
uid 2004;
class VIEW_ROUTE;
authentication {
encrypted-password "$1$UAEz9zdM$cY8aooxQDpTz6VKNrgKCz1"; #
SECRET-DATA
}
}
class VIEW_ROUTE {
idle-timeout 3;
permissions view;
allow-commands "(show route)|(quit)";
deny-commands .*;
}

toto@PARIS> ?
Possible completions:
show Show information about the system
toto@PARIS> quit
^
unknown command.

toto@PARIS> exit
^
unknown command.

toto@PARIS>

Try:
permissions view;
allow-commands "(quit)|(show route)";
deny-commands "[^(quit)]";

At 06:16 PM 7/28/2003 +0200, Nicolas Fevrier wrote:
>I've tried this one too :)
>
># De: Anton Bernal [mailto:abernal@bigfoot.com]
># allow-commands "(show route)|(quit)";
>
>user toto {
> uid 2004;
> class VIEW_ROUTE;
> authentication {
> encrypted-password "$1$UAEz9zdM$cY8aooxQDpTz6VKNrgKCz1"; #
>SECRET-DATA
> }
>}
>class VIEW_ROUTE {
> idle-timeout 3;
> permissions view;
> allow-commands "(show route)|(quit)";
> deny-commands .*;
>}
>
>toto@PARIS> ?
>Possible completions:
> show Show information about the system
>toto@PARIS> quit
> ^
>unknown command.
>
>toto@PARIS> exit
> ^
>unknown command.
>
>toto@PARIS>
>
>
>
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp

# Try:
# permissions view;
# allow-commands "(quit)|(show route)";
# deny-commands "[^(quit)]";

toto@PARIS> ?
Possible completions:
quit Exit the management session
show Show information about the system
toto@PARIS> show ?
Possible completions:
route Show routing table information
toto@PARIS>

:)))

Thanks a lot Anton,

Nicolas.

On Mon, Jul 28, 2003 at 11:09:51AM -0400, Jared Mauch wrote:
| IMHO, you should never disallow quit.
|
| ie: juniper should make it always available.

behave differnt than the regexp does dictate ?

i was under the impression that customer do
prefer predictability over fool-protection ?

/hannes

On Thu, Jul 31, 2003 at 08:59:37AM +0200, Hannes Gredler wrote:
> On Mon, Jul 28, 2003 at 11:09:51AM -0400, Jared Mauch wrote:
> | IMHO, you should never disallow quit.
> |
> | ie: juniper should make it always available.
>
> behave differnt than the regexp does dictate ?
>
> i was under the impression that customer do
> prefer predictability over fool-protection ?

I agree with that in everything except the ability to 'quit'

You shouldn't be able to telnet/ssh/whatnot into a device but
not be able to exit gracefully.

- jared

--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On Thu, Jul 31, 2003 at 08:59:37AM +0200, Hannes Gredler wrote:
> > On Mon, Jul 28, 2003 at 11:09:51AM -0400, Jared Mauch wrote:
> > | IMHO, you should never disallow quit.
> > |
> > | ie: juniper should make it always available.
> >
> > behave differnt than the regexp does dictate ?
> >
> > i was under the impression that customer do
> > prefer predictability over fool-protection ?
>
> I agree with that in everything except the ability to 'quit'
>
> You shouldn't be able to telnet/ssh/whatnot into a device but
> not be able to exit gracefully.

I'm with Jared on this one. There are no circumstances I can think of under
which it would be necessary to *prevent* someone from being able to quit. I
don't know how trivial (or otherwise) it would be to make quit and exception
within the regexp behaviour. I would have thought that some implicit regexp
entries which exclude quit from a "deny-commands" would do the trick.

In all other aspects, I want determinism. This is just the situation where
common sense should take precedence over the technically pure solution.

Regards,

Guy

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPykcGo3dwu/Ss2PCEQK1jwCgnXGWMIFbljr5SQPgcwtJMsfsuhsAn2h7
M2OHhoYTM1O1PhObQ3BTWFB4
=Fpe4
-----END PGP SIGNATURE-----