Creating a Privilege Class that Hides Encrypted Passwords

Problem

You need to have all permissions on the router but you don't want to have all of the encrypted passwords displayed.

Solution

Create a new class that explicitly includes all the permission bits except for control and secret:

[edit system login] aviva@router1# set class power-user permissions [ admin admin-control clear configure field floppy interface interface-control network reset routing routing-control shell snmp snmp-control system system-control trace trace-control view maintenance firewall firewall-control secret-control rollback security security-control access access-control view-configuration ]

Discussion

Many network operators like to trim shared secrets and other encrypted data out of their configurations before sharing the configurations with others. The JUNOS software uses the secret permission bit to control viewing access to the passwords and the secret-control permission bit to control setting them. This recipe still allows shared secrets and passwords to be set on the router, but the values are not shown, copied, or saved (using the configuration mode save command) by the user during normal operations.

Password and secret settings are, of course, still preserved with the commit operation, however, and the full configuration with secret data included is still accessible to the user by virtue of the maintenance permissions.