Juniper Junos – Setting Idle-Timeout for Root User

juniperjuniper-junos

We have all of our network devices attached to console servers for out-of-band access. Occasionally, someone will log in as the local root user and forget to log out. Whoever happens to log into that device next via the console server will be greeted by an open console session.

I'm aware that you can configure idle timeouts under login classes, but that doesn't seem to be an option for the built-in super-user class:

# set system login class super-user idle-timeout 10 
warning: 'super-user' is a predefined class name; changing to 'super-user-local'

Nor can we assign the root user to a custom class:

# set system login user root class root
# commit 
error: cannot create user account: root
error: user name is used by a system account
error: commit failed: daemon file propagation failed

Does anyone have any clever tricks around this? We could certainly use a separate user account instead of root, but that still leaves open the possibility that someone will log in as root during a maintenance action and forget to log out.

Best Answer

UPDATE: As of 16.1 this is possible with the following configuration:

set system login idle-timeout n

Where n is the number of minutes.

https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/ref/statement/idle-timeout--edit-system-login.html

For versions of code prior to 16.1, the following answer still works.

Setting idle-timeout for root directly from the CLI is not possible, unfortunately.

I wrote an event script that does what you need.

Basically, every 5 minutes it checks:

If root is logged in via console (verified by a "-" in the FROM section of "show system users")
If root is logged in, has it been idle for 15 minutes or more (checked in seconds, so 900 seconds).
If all of those requirements are met, issue "request system logout terminal $TERM" (uses whatever terminal is present in the information the script pulled).

Non-XML version of what is pulled:

jhead@VPN-EP1> show system users
 4:02PM  up 2:56, 2 users, load averages: 0.07, 0.02, 0.00
USER     TTY      FROM                              LOGIN@  IDLE WHAT
root     v0       -                                3:55PM      6 cli
jhead    p0       172.16.67.1                      1:09PM      - -cli (cli)

You can see a closer representation of what information the script parses by issuing:

show system users | display xml

The Script Itself: (filename: terminate-idle-root.slax)

/*
 * Author        : Jordan Head
 * Company       : Juniper Networks
 * Version       : 1.0
 * Last Modified : December 13, 2015
 * Platform      : all
 *
 * Description   : This event script periodically checks for root user sessions logged in
 * via out-of-band console that have been idle for 15 minutes or more, and terminates the session.
 *
 */

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

var $event-definition = {
  <event-options> {
    <generate-event> {
      <name> "5-minute-delay";
      <time-interval> "300";
    }
    <policy> {
      <name> "terminate-idle-root";
      <events> "5-minute-delay";
      <then> {
        <event-script> {
          <name> "terminate-idle-root.slax";
        }
      }
    }
  }
}

match / {
    <op-script-results> {

      var $root_user = "root";
      var $idle_time = "900";
      var $from = "-";

      var $show-system-users-output = <get-system-users-information>;
      var $show-system-users = jcs:invoke($show-system-users-output);

      for-each ($show-system-users/uptime-information/user-table/user-entry) {
          var $user_check = ./user;
          var $idle_time_check = ./idle-time/@junos:seconds;
          var $from_check = ./from;
          var $tty = ./tty;
              if ($user_check == $root_user && $idle_time_check >= $idle_time && $from_check == $from) {
                  var $terminate_root_console = <command> "request system logout terminal " _ $tty;
                  expr jcs:invoke($terminate_root_console);
              }
      }
    }
}

Applying the Script:

If the commit is successful, it means that the script's syntax is valid.

jhead@VPN-EP1> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode

[edit]
jhead@VPN-EP1# set event-options event-script file terminate-idle-root.slax

[edit]
jhead@VPN-EP1# commit and-quit
commit complete
Exiting configuration mode

Hope this helps, feel free to comment if anything is unclear and I'll be happy to update my answer.

Just a final note: @bob is right, that should work. I've just seen console appliances that maintain a connection, but allow access to the box itself so it wouldn't terminate. If you're doing a typical setup, his solution will work - but I've seen implementations where it wouldn't.

Adjusting Timeout for root Shells:

Just wanted to add one more quick thing someone brought to my attention.

If you're concerned with idle timeout on root user shell sessions (not CLI), you can jump into a shell and set:

set autologout=X  ## Where X is the number of minutes of idle time before session is terminated.

You add/edit the file /etc/csh.login

Related Solutions

See the pending (commit at) changes on a JunOS box

I think, you can use show | compare from configuration mode.

Juniper Junos – How to Use ‘Set Route’ Command

In screenos the command

set vrouter "trust-vr"

is moving you into editing the trust-vr router section. trust-vr is normally the default routing instance. The next command

set route 80.70.128.142/32 vrouter "UntrustGi-vr" preference 20 metric 1

adds an entry into the trust-vr routing table saying route all traffic to 80.70.128.142/32 to another virtual routing instance called "UntrustGi-vr" with a preference of 20 and metric 1

Now depending on if you have changed the trust-vr routing instance to be the non default would depend on how you would add it in Junos.

If it is the default routing instance then you just need to do

set routing-options static route 80.70.128.142/32 next-table UntrustGi-vr.net.0 preference 20
set routing-options static route 80.70.128.143/32 metric 1

which adds the static route into the default routing table inet.0. The config should look like this

routing-options {
    static {
        route 80.70.128.142/32 {
            next-table UntrustGi-vr.inet.0;
            metric 1;
            preference 20;
        }
    }
}

If you looked at the routing table you would see this

inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

80.70.128.142/32   *[Static/20] 00:08:54, metric 1
                      to table UntrustGi-vr.inet.0

If it isn't the default routing instance and you had created a routing instance called trust-vr then you would do

set routing-instance trust-vr routing-options static route 80.70.128.142/32 next-table UntrustGi-vr.net.0 preference 20
set routing-instance trust-vr routing-options static route 80.70.128.142/32 metric 1

The config should look similar to this

routing-instances {
    trust-vr {
        routing-options {
            static {
                route 80.70.128.142/32 {
                    next-table UntrustGi-vr.inet.0;
                    metric 1;
                    preference 20;
                }
            }
        }
    }
}

and the routing table should show this

trust-vr.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

80.70.128.142/32   *[Static/20] 00:03:15, metric 1
                      to table UntrustGi-vr.inet.0

Best Answer

Related Solutions

See the pending (commit at) changes on a JunOS box

Juniper Junos – How to Use ‘Set Route’ Command

Related Topic