03-31-2004 07:37 AM - edited 03-10-2019 07:43 AM
Does anyone know if it is possible to use wildcards with a Shell Command Authorization Set?
I am setting up the following types of users:
Cisco Admins (Unrestricted)
Cisco Operators (restricted, but capable of a lot).
What we want to allow the operators to have enough access to fix a problem, (with us walking them through on the phone), but not allow them the following:
Show run, show start... So they cannot get the passwords.
copy ANYTHING into startup-config. We do not want them to be able to write any configs.
There are so many options to copy from: ftp, tftp, run, flash, etc... I wanted to use a wildcard for
copy; deny * startup-config
copy; deny running-config *
copy; deny startup-config *
this will prevent them from overwriting the startup-config, and will prevent them from copying the configs anywhere, where they can get the encrypted passwords & run a utility to crack the passwords.
As of now, I am putting in all possible options into the authorization set, but I would LOVE to use a wildcard.
Any thoughts?
04-06-2004 08:46 AM
As of now, wildcards can be used with IP addresses only I guess.
04-06-2004 09:33 AM
I ended up with the following:
Copy
deny running-config
deny startup-config
deny tftp startup-config
deny /erase
deny flash startup-config
deny ftp startup-config
deny null startup-config
deny pram startup-config
deny rcp startup-config
deny system startup-config
deny xmodem startup-config
deny ymodem startup-config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide