Overview:The challange is to allow a user to log into the routers and grab the configs, but not be able to make any changes. This can be very helpful if you have automated tools grabbing configs, but you don't want those accounts to go into the wrong hands and have folks logging in on their own and messing things up.Creating user with rights:The command that lets this happen is the privilege exec command and setting users privilage level to something below 15. The following commands create a user called "rancid" with a very limited level of rights, but who can view the running config, and view the startup-config. username rancid priv 3 password test privilege exec all level 3 show running-config privilege exec level 3 show startup-config Viewing Configs:the trick is that the sh run command wont work like normal. Instead, to view the entire config, you need to enter: show running-config view full Confirming limited rights:Note that if you wanted to see what commands were available you could enter the ? at the prompt:swa1#? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface clear Reset functions connect Open a terminal connection crypto Encryption related commands. disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system lock Lock the terminal login Log in as a particular user logout Exit from the EXEC mrinfo Request neighbor and version information from a multicast router mstat Show statistics after multiple multicast traceroutes mtrace Trace reverse multicast path from destination to source name-connection Name an existing network connection ping Send echo messages rcommand Run command on remote switch release Release a resource renew Renew a resource resume Resume an active network connection set Set system parameter (not config) show Show running system information ssh Open a secure shell client connection systat Display information about terminal lines tclquit Quit Tool Command Language shell telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination tunnel Open a tunnel connection where List active connections swa1# and running the simple sh run command would produce almost nothing by itself. swa1#sh run Building configuration... Current configuration : 192 bytes ! ! Last configuration change at 16:08:58 UTC Fri Nov 11 2011 by chuck ! NVRAM config last updated at 21:27:54 UTC Wed Nov 9 2011 by chuck ! boot-start-marker boot-end-marker ! ! ! ! ! ! end swa1# Notes/Issues:This does not work for all os's. For example:Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1) swa2(config)#privilege exec ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1) swa3(config)#privilege exec ? level Set privilege level of command reset Reset privilege level of command References:
|