We have all of our network devices attached to console servers for out-of-band access. Occasionally, someone will log in as the local root user and forget to log out. Whoever happens to log into that device next via the console server will be greeted by an open console session.
I'm aware that you can configure idle timeouts under login classes, but that doesn't seem to be an option for the built-in super-user class:
# set system login class super-user idle-timeout 10
warning: 'super-user' is a predefined class name; changing to 'super-user-local'
Nor can we assign the root user to a custom class:
# set system login user root class root
# commit
error: cannot create user account: root
error: user name is used by a system account
error: commit failed: daemon file propagation failed
Does anyone have any clever tricks around this? We could certainly use a separate user account instead of root, but that still leaves open the possibility that someone will log in as root during a maintenance action and forget to log out.
Best Answer
UPDATE: As of 16.1 this is possible with the following configuration:
set system login idle-timeout n
Where
n
is the number of minutes.https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/ref/statement/idle-timeout--edit-system-login.html
For versions of code prior to 16.1, the following answer still works.
Setting idle-timeout for root directly from the CLI is not possible, unfortunately.
I wrote an event script that does what you need.
Basically, every 5 minutes it checks:
Non-XML version of what is pulled:
You can see a closer representation of what information the script parses by issuing:
The Script Itself: (filename:
terminate-idle-root.slax
)Applying the Script:
If the commit is successful, it means that the script's syntax is valid.
Hope this helps, feel free to comment if anything is unclear and I'll be happy to update my answer.
Just a final note: @bob is right, that should work. I've just seen console appliances that maintain a connection, but allow access to the box itself so it wouldn't terminate. If you're doing a typical setup, his solution will work - but I've seen implementations where it wouldn't.
Adjusting Timeout for root Shells:
Just wanted to add one more quick thing someone brought to my attention.
If you're concerned with idle timeout on root user shell sessions (not CLI), you can jump into a shell and set:
You add/edit the file /etc/csh.login