Junos OS

Expand all | Collapse all

restrict user to use certain commands

Jump to Best Answer
  • 1.  restrict user to use certain commands

    Posted 03-23-2018 04:17

    Hi,

    On our company's SRX firwall, I want to create a USER who can only...

     logs in, change passwords of other users and save / commit it - that's all

    USER should not be allowed to run any other commands.

    Can someone please send me command line of how can i achieve it.

    Or

    we manage our FW through NSM, can I do via NSM ? If yes then want to know steps

    Thanks a lot.

     



  • 2.  RE: restrict user to use certain commands

     
    Posted 03-24-2018 04:27

    You will need to create the login class with your desired restrictions for this.

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/access-privileges-configuration-mode-commands-specifying-qfx-series.html

     

    Once you know the commands you want on the device.  In NSM you edit the SRX and navigate to the appropriate hierarchy:  system > login then add the login class restrictions and push it to the device.

     



  • 3.  RE: restrict user to use certain commands

    Posted 03-26-2018 07:08

    Hi - thanks for your reply. I want to know the command for changing user accounts passwords ?

    Thanks.



  • 4.  RE: restrict user to use certain commands
    Best Answer

     
    Posted 03-27-2018 02:53

    The password is set using authentication plain-text-password

     

    Example for a user:  nocuser

     

    root@none# show system login                                                   
    user admin {
        uid 2000;
        class super-user;
        authentication {
            encrypted-password "$1$AfzYvY./$J5ITta.ellfOXC70tzq.L/"; ## SECRET-DATA
        }
    }
    user nocuser {
        class operator;
        authentication {
            encrypted-password "$1$Ij.hVU.i$cGmnJrVK7GWbwDeRXLalZ."; ## SECRET-DATA
        }
    }

    [edit]
    root@none# set system login user nocuser authentication plain-text-password