6.6.5 Ensure all Custom Login Classes Forbid Shell Access


All login classes should deny Shell access.


JUNOS runs on top of a heavily modified BSD Unix based operating system and users with certain permission sets will be able to start a Shell to interact with this underlying system directly. Once within a Unix Shell a user may execute scripts or applications and perform changes outside of the normal Authentication, Authorization and Accounting (AAA) mechanisms which protect the router when a user performs commands in JUNOS.

Access to the underlying Unix Shell is not required in normal operation for almost all deployments and the default position should be for this to be denied.

In the rare instances where it is required, access to the Shell should be restricted to a very small number of users, ideally only being granted on a case by case basis and removed when the task requiring access is complete.

To ensure all interaction with the router will need to be performed through JUNOS, all Custom Login Classes should have access to the shell explicitly denied.


Deny Shell access for a class using the following command under the [edit system login] hierarchy:

[edit system login]
[email protected]#set class <class name> deny-commands 'start shell'

You may also wish to deny other commands or groups of commands by using a list or Regular Expression as the deny-commands value, ensure that start shell is still included.

Default Value:

Shell access is not restricted by default.

See Also