Marc Haber wrote: > On Thu, Dec 06, 2007 at 09:03:39PM +0000, Thorsten Dahm wrote: >> Marc Haber wrote: >>> Which access privileges would RANCID need, and how far can the RANCID >>> account be restricted? >> The same as any user who is able to to a "sh run". > > Which access privileges are needed to do a "sh run"?
per default IIRC level 15. >>> The administrators of the boxes are not very >>> keen on handing out unrestricted privilege 15 accounts to automated >>> processes. >> They may can restrict the user to the "sh run" command only. > > Is it possible to authenticate through a ssh key, and is it possible > to restrict a key to be only accepted from one single IP address? I think Gert is right, Cisco can't do that. You could use AAA and TACACS to only allow a specific user to execute 1 command, or you lower the privilege level needed for a sh run with this command: privilege exec level 1 show running But this is than global for this device, so every user with privilege 1 could do a sh run in this example. cheers, Thorsten _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/