Comware

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

If I'm defining the access on the VTY lines, will that mess with my admin access via SSH?  I don't want to accidently lock my admin SSH access out.

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

Sorry for read this. 1950 is end of sale product. It's also OfficeConnect line and as per product design it is locked. xtd-mode-cli is meant to be used by HPE support and not mere mortals anyhow.

Maybe you can find some useful ideas in github for comware.

Best, Gorazd 

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

No worries, I appreciate the help you've tried to give.  The web interface is decent enough on the 1950's but the CLI is severely lacking.  I find it ridiculous that it's this difficult just to get a simple running config out of the system.  It seems that I have no choice but to give the user Admin access and pray that the script doesn't go sideways and wipe out the config or not use the config diff tool in my monitoring system.

Sorry for read this. 1950 is end of sale product. It's also OfficeConnect line and as per product design it is locked. xtd-mode-cli is meant to be used by HPE support and not mere mortals anyhow.

Maybe you can find some useful ideas in github for comware.

Best, Gorazd 

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

This is what product description say. Limited cli :-( 

You can try ftp get to get startup.cfg file where configuration is stored. Unfortunately this is not running but saved configuration.

Best, Gorazd 

No worries, I appreciate the help you've tried to give.  The web interface is decent enough on the 1950's but the CLI is severely lacking.  I find it ridiculous that it's this difficult just to get a simple running config out of the system.  It seems that I have no choice but to give the user Admin access and pray that the script doesn't go sideways and wipe out the config or not use the config diff tool in my monitoring system.

Sorry for read this. 1950 is end of sale product. It's also OfficeConnect line and as per product design it is locked. xtd-mode-cli is meant to be used by HPE support and not mere mortals anyhow.

Maybe you can find some useful ideas in github for comware.

Best, Gorazd 

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

If I were the script writer, I might consider that idea.  Though I'm not sure if the 1950's are like the Aruba's which sort of auto-save everything you click in the web interface.  However, I'm beholden to the monitoring solution's script which is just trying to basically do a show run so it can copy the output.  Oh well.  Thanks again for what assistance you could provide.

This is what product description say. Limited cli :-( 

You can try ftp get to get startup.cfg file where configuration is stored. Unfortunately this is not running but saved configuration.

Best, Gorazd 

No worries, I appreciate the help you've tried to give.  The web interface is decent enough on the 1950's but the CLI is severely lacking.  I find it ridiculous that it's this difficult just to get a simple running config out of the system.  It seems that I have no choice but to give the user Admin access and pray that the script doesn't go sideways and wipe out the config or not use the config diff tool in my monitoring system.

Sorry for read this. 1950 is end of sale product. It's also OfficeConnect line and as per product design it is locked. xtd-mode-cli is meant to be used by HPE support and not mere mortals anyhow.

Maybe you can find some useful ideas in github for comware.

Best, Gorazd 

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.

:-) 

Unfortunately 1950 will not save any of changes until you click on floppy icon. So be careful when you doing the changes. If you don't save it explicitly, they will go away after reboot. Many of us fall into this trap.

Best, Gorazd

If I were the script writer, I might consider that idea.  Though I'm not sure if the 1950's are like the Aruba's which sort of auto-save everything you click in the web interface.  However, I'm beholden to the monitoring solution's script which is just trying to basically do a show run so it can copy the output.  Oh well.  Thanks again for what assistance you could provide.

This is what product description say. Limited cli :-( 

You can try ftp get to get startup.cfg file where configuration is stored. Unfortunately this is not running but saved configuration.

Best, Gorazd 

No worries, I appreciate the help you've tried to give.  The web interface is decent enough on the 1950's but the CLI is severely lacking.  I find it ridiculous that it's this difficult just to get a simple running config out of the system.  It seems that I have no choice but to give the user Admin access and pray that the script doesn't go sideways and wipe out the config or not use the config diff tool in my monitoring system.

Sorry for read this. 1950 is end of sale product. It's also OfficeConnect line and as per product design it is locked. xtd-mode-cli is meant to be used by HPE support and not mere mortals anyhow.

Maybe you can find some useful ideas in github for comware.

Best, Gorazd 

Yes, and I've already played with the user-role but the user is unable to access the xtd-cli-mode

[HP-BuildRoom-24]show role name lmssh
Role: lmssh
  Description:
  VLAN policy: permit (default)
  Interface policy: permit (default)
  VPN instance policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm   Type  Scope         Entity
  -------------------------------------------------------------------
  1       permit       command       *
  2       permit RWX   web-menu      -
  3       permit RWX   xml-element   -
  4       permit RW-   oid           1
  5       permit       command       system-view
  6       deny         command       reboot
  R:Read W:Write X:Execute

[HP-BuildRoom-24]

This is way more rights than I wanted the user to have to begin with, but I was trying to get him the xtd-cli-mode.  That's also what the "deny reboot" statement is for, trying to limit his access because the only way I've found to get him xtd-cli-mode is when he's admin and then there are way too many rights. 

But you see a user-role. This is comware 7 sho no level's any more but user roles.

Look 7 posts above.

Best, Gorazd

Thanks again!  I'm not seeing a "level" that I can set.

[HP-BuildRoom-24-line-vty0-4]?
Line view commands:
  activation-key       Specify a character to begin a terminal session
  authentication-mode  Login authentication mode
  auto-execute         Automatic execution configuration
  cfd                  Connectivity Fault Detection (CFD) module
  command              Command authorization and accounting
  databits             Set the databits of line
  diagnostic-logfile   Diagnostic log file configuration
  display              Display current system information
  end                  Alias for 'return'
  escape-key           Escape key sequence configuration
  exit                 Alias for 'quit'
  flow-control         Set a flow control mode
  history-command      History command buffer configuration
  idle-timeout         User connection idle timeout
  ip                   Specify IP configuration
  lock                 Lock the current line
  lock-key             Specify a shortcut key for locking the current line
  logfile              Log file configuration
  monitor              System monitor
  mtrace               Configure the multicast traceroute
  no                   Alias for 'undo'
  parity               Set the parity check method
  ping                 Ping function
  protocol             Set the protocols to be supported by the line
  quit                 Exit from current command view
  repeat               Repeat executing history commands
  reset                Reset operation
  return               Exit to User View
  save                 Save current configuration
  screen-length        Specify the number of lines to be displayed on a screen
  security-logfile     Security log file configuration
  set                  Specify line parameters
  shell                Enable terminal user service
  show                 Alias for 'display'
  smartmc              SmartMC module
  speed                Line transmission speed
  stopbits             Specify the stop bit of line
  terminal             Specify terminal attribute
  tracert              Tracert function
  undo                 Cancel current setting
  user-role            Specify user role configuration information
  write                Alias for 'save'

[HP-BuildRoom-24-line-vty0-4]

Unfortunately I don't have any 1950 available for testing. Only enterprise comware switches. Try with level-2 or level-1 access. 

Try to define local user in xtd-cli-mode with 

local-user <user>

level 2

service-tyle ssh

service-type ftp <--- if needed

password simple <password>

Best, Gorazd

Ok, that's good to know.  However, how do I get a user access to the xtd-cli-mode without giving them admin?  Remember, the goal is to give this user as little rights as possible, as it's a script that I don't control which will be grabbing the config.  Less access the SSH user has the less damage the script can do if it does something stupid.

THanks

Yes, this is per design. This is OfficeConnect stripped down interface switch. You are not suppose to use comware underneath.

You need to be in xtd-cli-mode to issue those commands.

Try configure the line vty to have default level 2 via ssh.

The next you can try is, if you can download config.cfg file via ssh or ftp or sftp, but you need to enable ftp server.

ftp server enable

sftp server enable

Best, Gorazd

Does not seem to work.  

 I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

Notice, no "super" command to run.  Even as an Admin on this system, the only way to get to system-view mode I've found is through the xtd-cli-mode command.

You will need to try command 

super <level>

to move to different user privilege level.

Or you can define vty line to have default user level of 1 instead of 0 like:

user-interface vty 0 4

 authentication-mode schema

 user privilege level 1

 protocol inbound ssh

Syntax can vary a little bit as I'm looking currently on comware 3 and 5 device. On comware 7 it is 

line vty 0 4

user-role <user role>

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Expert 2023

Original Message:
Sent: Feb 28, 2023 08:01 AM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

My problem isn't with the script (yet).  It's trying to get the CLI to allow the SSH user the correct access.  Thanks though!

Original Message:
Sent: Feb 28, 2023 02:52 AM
From: IanNightingale
Subject: 1950 JG962A SSL "read only" user with access to everything

Hi, while I can't directly solve this one (and I don't think there is a direct solution) I have faced similar challenges with CLIs that you need to write a python script for but a command doesn't return to the prompt. For example where a command requires a Y/N response.

When this is the case in scripting you have to find a way to be able to transmit the commands but no expect a response. The fire-and-forget method means that you can send the command, response to question etc and get the output required.

If in your case your script allows for that, it would be worth investigating that way forward. You may also be able to concatanate commands with the \n character depending on what the scripting engine is. For example "conf t \n show run" is a single command from Python's point of view but the \n creates a carriage return so that both commands are sent.

Original Message:
Sent: Feb 24, 2023 03:19 PM
From: ktimm@labconnect.com
Subject: 1950 JG962A SSL "read only" user with access to everything

Hopefully I'm in the right place for this question.  

I'm the new net admin at a company with a bunch of HP-1950's.  We are implementing an SNMP monitoring system.  I've got the v3 SNMP all set up and it's working great.  One of the other things that the monitoring solution can do is a config dif, where you can be alerted to changes in configs.  However, the only way to make this happen is if I give the monitoring solution SSH access to the switch.  Not a huge problem creating an SSH only user on the switch, but then everything falls apart.  I can't figure out how to limit the SSH access to read only.  It seems the SSH user either has full access or no access.  In the end what the SSH user needs to be able to do (and this will be done via script) is run the following
xtd-cli-mode
screen-length disable
display current-configuration
quit
I'm at a loss to try and figure out how to do this.  My google fu has failed me and the documentation for the 1950's isn't great.  The manual tells you that it's possible to set up custom access levels but sort of neglects to tell you how to do it.

I did find this link, which has helped
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=4c3563ba-3b23-4e1f-9f69-a7243dbee5e1&CommunityKey=b977468f-cc90-4193-ae2f-888a17ae4b56&tab=librarydocuments
As well as this
http://www.h3c.com/en/Support/Resource_Center/HK/Switches/H3C_S10500/H3C_S10500/Technical_Documents/Configure/Configuration_Guide/H3C_S10500_CG-Release7178-6W100/01/201808/1102936_294551_0.htm
However, on these 1950's you can't even get into system-view without getting into xtd-cli-mode first and I can't seem to programmatically allow access to the xtd-cli-mode.
Honestly all I need this user role to be able to do is set "screen-length disable" (so that there are no page breaks when the script runs the next command) and "display current-configuration".  I've created the user role, I've given the role permit access to all commands.  However the user logs in, does a ? and only has access too 

<HP-BuildRoom-24>?
User view commands:
  display  Display current system information
  exit     Alias for 'quit'
  ipsetup  IP configuration
  no       Alias for 'undo'
  ping     Ping function
  poe      Power over Ethernet
  quit     Exit from current command view
  show     Alias for 'display'
  telnet   Establish a telnet connection
  undo     Cancel current setting

<HP-BuildRoom-24>display ?
  poe  PoE information

No access to be able to see what they need too.  Any help would be appreciated.