Re: [j-nsp] Enforcing CLI Idle-Timeouts
I think he meant the difference in the changes is negligible (like 3 set statements). Either solution you deploy (both set scripts) you'll still have to deploy to hundreds of routers. Look into Shrubbery's RANCID for a super-fast way to do that. -Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Fouant Sent: Tuesday, July 22, 2008 12:11 AM To: Stacy W. Smith Cc: Juniper-Nsp Subject: Re: [j-nsp] Enforcing CLI Idle-Timeouts Not too cumbersome... unless of course you're talking about deploying it on hundreds of routers! Luckily for me I only have to do this on 8 :) On Tue, Jul 22, 2008 at 12:07 AM, Stacy W. Smith [EMAIL PROTECTED] wrote: Defining a custom class with your specified idle-timeout and permissions all doesn't seem too cumbersome. That would be equivalent to the pre-defined super-user class, and I think it's your best bet. --Stacy On Jul 21, 2008, at 8:51 PM, Stefan Fouant wrote: I hope the only other option isn't going to mean that I have to configure a custom login class and assign the various CLI permissions. That would be a real PITA. I wish there were some way to pass this information off from our TACACS+ server but alas it seems that the junos_exec service class has very limited command shell authorizations Hopefully someone on-list has found a solution On 7/21/08, Christian Koch [EMAIL PROTECTED] wrote: i tried this a while back and came across the same issue, i've yet to be able to find a 'hack' since.. christian On Mon, Jul 21, 2008 at 4:56 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp *** The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Enforcing CLI Idle-Timeouts
Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enforcing CLI Idle-Timeouts
i tried this a while back and came across the same issue, i've yet to be able to find a 'hack' since.. christian On Mon, Jul 21, 2008 at 4:56 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enforcing CLI Idle-Timeouts
I hope the only other option isn't going to mean that I have to configure a custom login class and assign the various CLI permissions. That would be a real PITA. I wish there were some way to pass this information off from our TACACS+ server but alas it seems that the junos_exec service class has very limited command shell authorizations Hopefully someone on-list has found a solution On 7/21/08, Christian Koch [EMAIL PROTECTED] wrote: i tried this a while back and came across the same issue, i've yet to be able to find a 'hack' since.. christian On Mon, Jul 21, 2008 at 4:56 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enforcing CLI Idle-Timeouts
Not too cumbersome... unless of course you're talking about deploying it on hundreds of routers! Luckily for me I only have to do this on 8 :) On Tue, Jul 22, 2008 at 12:07 AM, Stacy W. Smith [EMAIL PROTECTED] wrote: Defining a custom class with your specified idle-timeout and permissions all doesn't seem too cumbersome. That would be equivalent to the pre-defined super-user class, and I think it's your best bet. --Stacy On Jul 21, 2008, at 8:51 PM, Stefan Fouant wrote: I hope the only other option isn't going to mean that I have to configure a custom login class and assign the various CLI permissions. That would be a real PITA. I wish there were some way to pass this information off from our TACACS+ server but alas it seems that the junos_exec service class has very limited command shell authorizations Hopefully someone on-list has found a solution On 7/21/08, Christian Koch [EMAIL PROTECTED] wrote: i tried this a while back and came across the same issue, i've yet to be able to find a 'hack' since.. christian On Mon, Jul 21, 2008 at 4:56 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp