Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Securing console using log-out-on-disconnect

0

0

Article ID: KB18209 KB Last Updated: 04 Mar 2017Version: 3.0
Summary:
A user logged into a device through a console expects the session to be logged out when disconnecting from the console. Although this doesn't happen by default on Junos devices, the console can be secured by using the Junos log-out-on-disconnect feature.
Symptoms:
When disconnecting the console cable from a Juniper router or switch, the user account is not automatically logged out and the console session is still found to be functioning.  After removing the physical cable from EX Switch console port the user session remains logged in.

Example, the user is still logged in after removing the console connection:

  • Log into an EX Switch as a user via SSH and separately to console.
  • Remove physical console connection.
  • Issue the following CLI command:
root# run show system users
7:19AM up 37 mins, 2 users, load averages: 0.31, 0.03, 0.05
USER    TTY    FROM              LOGIN@      IDLE WHAT
root    u0     -                 7:19AM      - cli    ===> Represents console session
root    p0     10.130.38.125     7:19AM      - cli    ===> Represents ssh session

Cause:
 
Solution:
To log a user out after console connection is removed:

Configure the following under 'system' hierarchy and commit to configuration:
system {
    ports {
        console log-out-on-disconnect;
    }
}

Verify the user is logged out:
  • Log into an EX Switch as a user via SSH and separately to console.
  • Remove physical console connection.
  • Issue the following CLI command:
root# run show system users
7:20AM up 38 mins, 2 users, load averages: 0.31, 0.03, 0.05
USER      TTY     FROM               LOGIN@        IDLE WHAT
root      p0      10.130.38.125      7:2
0AM        - cli       ===> Represents ssh session


This confirms that the console user session has been logged out.

Note: The log-out-on-disconnect command will have no effect on MX80 routers due to a hardware limitation.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search