Juniper Junos Idle Timeout

Juniper SRX 210

Juniper SRX 210I recently noticed that Junos doesn’t set an idle timeout on CLI sessions for newly created user/administrator logins. It doesn’t set an idle timeout (by default) on the default root account either. While this wouldn’t be that much of a concern for most we place analog modems on the console ports of all our remote office Juniper SRX 210Hs. If an engineer or administrator forgets to logout of the console before hanging up with the modem we could have a big security problem. Someone could stumble across our device (by war dialing or accidentally) and they would find themselves logged into a Juniper SRX 210H with full administrator privileges.

Thankfully you can configure an idle timeout for CLI sessions in Junos.

We don’t use the default root account but instead create an admin account for the day to day management and configuration changes. Here are the steps we use to create that admin account;

set system login user admin full-name Administrator
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication plain-text-password password

That leaves us with the following configuration;

user admin {
    full-name Administrator;
    uid 100;
    class super-user;
    authentication {
        encrypted-password "*****************************"; ## SECRET-DATA
    }
}

Since the idle-timeout value is set per user class and we can’t modify the default super-user class we had to create a new class called super-user-local. After setting the idle-timeout and permissions we add the user admin to that user class.

set system login class super-user-local idle-timeout 10
set system login class super-user-local super-user-local permissions all
set system login user admin class super-user-local

If we look at the configuration after those changes we should be able to see the new user class.

class super-user-local {
    idle-timeout 10;
    permissions all;
}
user admin {
    full-name Administrator;
    uid 100;
    class super-user-local;
    authentication {
        encrypted-password "********************************"; ## SECRET-DATA
    }
}

And now lets test it…

[root@linux ~]# telnet vpn-testlab
Trying 10.101.203.1...
Connected to vpn-testlab (10.1.1.1).
Escape character is '^]'.

vpn-testlab (ttyp0)

login: admin
Password:

--- JUNOS 10.4R9.2 built 2012-02-02 08:09:42 UTC
admin@vpn-testlab> 

Warning: session will be closed in 5 minutes if there is no activity
Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session

Connection closed by foreign host.

With that change any CLI sessions that are idle for 10 minutes will be automatically logged out.

I mentioned creating a few screencasts so here’s my first “public” attempt. I’ve created a few private screencasts for my employer from time to time but nothing ever public. Have a look below, feel free to leave any feedback even constructive criticism is welcome. I know that I need to work on my microphone volume and settup. I don’t smoke but you’d never know that by listening to the video with my heaving breathing. Any if you decide to watch why not have a go at counting the number of uhms or ahs?

Cheers!

{ 3 comments… add one }

  • Michael McNamara November 8, 2012, 9:42 am

    It was mentioned to me that you can enable CLI idle-timeout just for your current session using the following commands from operational mode (not configuration mode)

    admin@juinper-srx210> set cli idle-timeout 10
    Idle timeout set to 10 minutes
    

    Cheers!

  • Florian February 25, 2014, 5:03 am

    Nice post, thanks!

    I was wondering if ‘set cli idle-timeout x’ could be used in a login script, just to make things a little simpler?! Haven’t tried it yet, though.

    Btw, speaking of timeouts and stuff, I can recommend ‘set system ports console log-out-on-disconnect’

    Cheers!

    • Michael McNamara March 3, 2014, 6:27 pm

      Thanks for the tip… didn’t realize that feature/setting was there myself.

      Cheers!

Leave a Comment

Next post:

Previous post: