Prudish behavior

Back on the juniper posts today, I am going to jump into local user authentication. Juniper offer quite a few options on configuring user based access. I will start to explore these among many other topics this year. I am of the belief that not everyone should have full access to your device. You don’t tell everyone all of your secrets do you?

Now Juniper access control has a lot of ways to achieve one thing and today I will show you only some. This blog will cover local users, setting up a read-only account, and explore some of the retry-options focused on security. By default, you create a root account when you first boot your Juniper device. I would not recommend all users use this to administer the device. Too much power!

First, lets create two users. Rand al’Thor and Lan Mandragoran. I am reading the last book of The Wheel of Time at the moment, hence the names! I’ve assigned user ID’s manually. The device will do it for you automatically preferring the lowest available first.

set system login user lmandragoran full-name "Lan Mandragoran"
set system login user lmandragoran uid 2003
set system login user ralthor full-name "Rand al'Thor"
set system login user ralthor uid 2004
Now to create passwords.
[edit system login]
[email protected]# set user ralthor authentication plain-text-password    
New password:
Retype new password:

[edit system login]
[email protected]# 

[edit system login]
[email protected]# set user lmandragoran authentication plain-text-password    
New password:
Retype new password:

[edit system login]
[email protected]#

That is all well and good. Assign users to login classes. Rand to the default super-users and Lan to read-only.

set system login user lmandragoran class read-only
set system login user ralthor class super-user

Now lets confirm our settings.

[email protected]> show configuration system login                     

user lmandragoran {
    full-name "Lan Mandragoran";
    uid 2003;
    class read-only;
    authentication {
        encrypted-password "$1$9fMIL2Zh$j9pzA40WQ.3apKHRlfG4M/"; ## SECRET-DATA
    }
}
user ralthor {
    full-name "Rand al'Thor";
    uid 2004;
    class super-user;
    authentication {
        encrypted-password "$1$GYbzNkRL$.L4KVszsdSeKm92NffG9N."; ## SECRET-DATA
    }
}

Awesome. Now let us test how read-only works for Lan.

[email protected]% exit
logout
Connection to 192.168.1.200 closed.
telaranrhiod:~ pandom$ ssh [email protected]
[email protected]'s password: 
--- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
[email protected]> ?
Possible completions:
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  op                   Invoke an operation script
  quit                 Exit the management session
  request              Make system-level requests
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  start                Start shell
  test                 Perform diagnostic debugging
[email protected]> set ?  
Possible completions:
  cli                  Set CLI properties
[email protected]> request ?   
Possible completions:
  chassis              Perform chassis-specific operations
  dhcp                 Perform DHCP operations
  dhcpv6               Perform DHCPv6 operations
  interface            Perform interface tasks
  lacp                 Request LACP actions
  message              Send text message to other users
  modem                
  multicast            Perform multicast operations
  network-access       Request network-access related information
  pppoe                Perform PPPoE specific operations
  services             Service requests
  snmp                 Request actions from the Simple Network Management Protocol daemon
  wlan                 Wireless LAN related requests
[email protected]> show ?        
Possible completions:
  accounting           Show accounting profiles and records
  arp                  Show system Address Resolution Protocol table entries
  as-path              Show table of known autonomous system paths
  authentication-whitelist  Show 802.1X White List MAC addresses
  bfd                  Show Bidirectional Forwarding Detection information
  bgp                  Show Border Gateway Protocol information

Now you can see that this person can verify existing commands, issue show commands for each stanza, and perform system request. They cannot restart the device or look at the entire configuration.

[email protected]> show configuration    
## Last commit: 2013-01-16 22:19:23 UTC by root
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
routing-instances { /* ACCESS-DENIED */ };
ethernet-switching-options { /* ACCESS-DENIED */ };
vlans { /* ACCESS-DENIED */ };

Pretty cool. Now to show you some lock down methods. I want to make it hard for someone to gain illegitimate access to the device. I want to slow them down. Junos has a great plethora of options for this. I want to make sure that if you put a wrong password in three times, you’re disconnected. The backoff-threshold of 1 means after the first failed password attempt subsequent attempts increases by the backoff-factor which is 5. Each subsequent failure increases the wait by 5 seconds. If all three are failed the connection is closed. Minimum-time allows this entire transaction 25 seconds else the connection will close.

set system login retry-options tries-before-disconnect 3
set system login retry-options backoff-threshold 1
set system login retry-options backoff-factor 5
set system login retry-options minimum-time 25

Now lets attempt to break an account.

telaranrhiod:~ pandom$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

[email protected]'s password: 
Permission denied, please try again.

[email protected]'s password: 
Received disconnect from 192.168.1.200: 2: Too many password failures for ralthor
telaranrhiod:~ pandom$

The time between each attempt was annoying.  A great way to protect against Brute force attempts of your switches. Now I am going to make one more account to only be able view Routing information. This account needs to be FIPS-140-2 complaint. That means the following permission bits cannot be set – secret, security, and maintenance. I will make a class entitled routing-operator and apply the routing-control and view permission bits. I also am going to allow this class for weekday night shift only. 1800-0600, Monday to Friday. I will include an idle timeout of 2 minutes. No leaving an open CLI!

set system login retry-options minimum-time 20
set system login class router-operator allowed-days monday
set system login class router-operator allowed-days tuesday
set system login class router-operator allowed-days wednesday
set system login class router-operator allowed-days thursday
set system login class router-operator allowed-days friday
set system login class router-operator access-start "18:00:00 +0000"
set system login class router-operator access-end "06:00:00 +0000"
set system login class router-operator permissions routing-control
set system login class router-operator permissions view
set system login class router-operator idle-timeout 2

A FIPS-140-2 Crypto Officer is someone with the  secret, security, and maintenance permission bits set. Time to confirm the commands. Important to note is correct time if you are using time based roles and functions. Especially on a global level as different time zones could be a factor.

[email protected]> ?
Possible completions:
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  op                   Invoke an operation script
  quit                 Exit the management session
  request              Make system-level requests
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  start                Start shell
  test                 Perform diagnostic debugging
[email protected]> show route ospf     

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 14:37:11
                    > to 192.168.1.254 via fe-0/0/0.0

[email protected]> show route         

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 14:37:15
                    > to 192.168.1.254 via fe-0/0/0.0
172.16.10.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
172.16.15.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
172.16.20.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
192.168.1.0/24     *[Direct/0] 3d 14:37:15
                    > via fe-0/0/0.0
192.168.1.200/32   *[Local/0] 1w4d 14:18:37
                      Local via fe-0/0/0.0
192.168.2.1/32     *[Local/0] 1w4d 14:18:49
                      Reject
224.0.0.5/32       *[OSPF/10] 6d 22:54:37, metric 1
                      MultiRecv

R1.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[Direct/0] 1w4d 14:19:19
                    > via lo0.1
2.2.2.2/32         *[OSPF/10] 1w0d 20:41:26, metric 1
                    > to 192.168.10.2 via lt-0/0/0.0
3.3.3.3/32         *[OSPF/10] 1w0d 20:41:26, metric 2
                    > to 192.168.10.2 via lt-0/0/0.0
192.168.10.0/30    *[Direct/0] 1w4d 14:18:36
                    > via lt-0/0/0.0
192.168.10.1/32    *[Local/0] 1w4d 14:18:36
                      Local via lt-0/0/0.0
192.168.10.4/30    *[OSPF/10] 1w0d 20:41:26, metric 2
                    > to 192.168.10.2 via lt-0/0/0.0
192.168.10.8/30    *[Direct/0] 1w4d 14:18:36
                    > via lt-0/0/0.5
192.168.10.10/32   *[Local/0] 1w4d 14:18:36
                      Local via lt-0/0/0.5
224.0.0.5/32       *[OSPF/10] 1w2d 03:13:50, metric 1
                      MultiRecv
[email protected]# run show system uptime 
Current time: 2013-01-17 00:55:41 UTC
System booted: 2013-01-05 10:39:40 UTC (1w4d 14:16 ago)
Protocols started: 2013-01-05 10:42:03 UTC (1w4d 14:13 ago)
Last configured: 2013-01-17 00:49:19 UTC (00:06:22 ago) by root
12:55AM up 11 days, 14:16, 2 users, load averages: 0.19, 0.08, 0.01

So you can see, you can issue show commands, edit routing protocols, and the time is during when logged in as Matrim Cauthon.

[email protected]> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session

Connection to 192.168.1.200 closed.
telaranrhiod:~ pandom$

Very good. Got distracted by a webpage? Got up for a coffee and didn’t lock your screen? Your personal data may be gone but the network is safe! Easy to configure for powerful results.

Thoughts

I think local AAA is often overlooked. I’ve found the options in JUNOS for local accounts very granular and flexible. Obviously long term and for large scale IT teams, centralized solutions are a much better choice. For a small deployment or environment such as branches or SOHO/SMB it is a great tool. Remember that if you are seeding local accounts to apply these settings and be sparing on the use of super-user class.

Leave a Reply

Your email address will not be published. Required fields are marked *


*