My customer sees that when a user opens a telnet to Juniper Router but the user doesn't type a username or password, the open telnet stays on-hold for hours.
When the telnet connection-limit is reached (my customer limits the connection-limit to 10), a new telnet session can't be opened and the login prompt doesn't appear.
Look at the following:
Attempt 1:
user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
router-RE0 (ttyp0)
login:
login:
telnet> z
Suspended
Attempt 10:
user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
router-RE0 (ttyp1)
login:
login:
telnet> z
Suspended
Attempt 11:
user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
Is there a way to reduce the time for this on-hold sessions so my customer can authenticate?, under the login class, we have an idle-timeout but this timeout only applies for authenticated sessions.
--
I believe you could use an event script that cleans up the ttys by looking first at system processes
[edit]
user@router# run show system processes | match login
5461 p0 Is+ 0:00.00 login [pam] (login)
7614 p1 Ss+ 0:00.00 login <<<<<<<<<<<< HERE
7299 p2 Is 0:00.01 login [pam] (login)
Compares that with system users
user@router# run show system users
3:36PM up 23:04, 2 users, load averages: 0.01, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
user p0 172.24.67.238 10:22AM - -cli (cli)
user p2 172.24.67.238 3:17PM 3 vi logout.slax
then logout the tty (p1) that doesn't have a user
[edit]
user@router# run request system logout terminal p1
user@router# run show system processes | match login
5461 p0 Is+ 0:00.00 login [pam] (login)
7299 p2 Is 0:00.01 login [pam] (login)
--------------------
Here's a working script that will boot off only those logins with no matching user
user@router# run show system processes | match login
9256 p0 Is 0:00.01 login [pam] (login)
9201 p1 Is+ 0:00.01 login [pam] (login)
12474 p2 Is+ 0:00.00 login <<<<<< here
12689 p4 Ss+ 0:00.00 login <<<<<< here
[edit]
user@router# run show system users
3:27PM up 1 day, 22:55, 2 users, load averages: 0.02, 0.10, 0.07
USER TTY FROM LOGIN@ IDLE WHAT
user p0 172.24.67.238 10:30AM 4 vi logout.slax
user p1 172.24.67.238 10:30AM - -cli (cli)
[edit]
user@router# run op logout
tty p2 no matching user logging them off
tty p4 no matching user logging them off
[edit]
user@router# run show system users
3:28PM up 1 day, 22:55, 2 users, load averages: 0.26, 0.15, 0.09
USER TTY FROM LOGIN@ IDLE WHAT
user p0 172.24.67.238 10:30AM 4 vi logout.slax
user p1 172.24.67.238 10:30AM - -cli (cli)
[edit]
user@router# run show system processes | match login
9256 p0 Is 0:00.01 login [pam] (login)
9201 p1 Is+ 0:00.01 login [pam] (login)
I ran this as an op script. You can test this as well. Put the file in the /var/db/scripts/op directory
Then configure the router to point to it.
user@router# show system
scripts {
op {
file logout.slax;
}
}
If this works out, then you can put this in the event-options configuration.
Save the below script as logout.slax
-----------------------------------------------------
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match / {
<op-script-results> {
<output method = "text"> {
var $showpid = <command> "show system process" ;
var $result = jcs:invoke($showpid);
/* break up all the lines */
var $line = jcs:break-lines($result);
for-each ($line) {
var $test = current();
/* find all processes with name login */
if (contains($test, "login")) {
/* var $proc = substring-before ($test, "Is"); */
var $tty = jcs:regex ("p[0-9]", $test);
var $users = <command> "show system users";
var $user = jcs:invoke ($users);
if ( not (contains ($user, $tty)) ) {
expr "tty " _ $tty _ " no matching user logging them off \n";
var $rpc = <command> "request system logout terminal " _ $tty;
var $response = jcs:invoke($rpc);
}
}
}
}
}
}
-------------------------------------
user@router# show event-options
policy TIME-OUT {
events SYSTEM;
attributes-match {
SYSTEM.message matches ".*Number of telnet connections at max limit.*";
}
then {
event-script logout.slax;
}
}
[edit]
user@router# show system
services {
telnet {
connection-limit 10;
}
}
Jul 22 17:20:39 router inetd[1053]: Number of telnet connections at max limit (10) Jul 22 17:20:39 router login: LOGIN_INFORMATION: User user logged in from host 172.24.67.238 on device ttyp0 Jul 22 17:20:39 router root: invoke-commands: Executed /tmp/evt_cmd_kQxqou, output to /tmp/evt_op_WP7zmx in text format Jul 22 17:20:39 router root: transfer-file: Transferred /tmp/evt_op_WP7zmx Jul 22 17:20:42 router xntpd[1079]: bind() fd 9, family 2, port 123, addr 128.0.0.1, in_classd=0 flags=0 fails: Can't assign requested address
No comments:
Post a Comment