Cisco Cisco Packet Data Gateway (PDG)
System Security
Hidden Commands ▀
ASR 5500 System Administration Guide, StarOS Release 17 ▄
101
Hidden Commands
Users with Security Administrator privilege can enable the display of previously hidden commands. The CLI test-
commands mode displays new command keywords for existing commands, as well as new commands.
commands mode displays new command keywords for existing commands, as well as new commands.
Caution:
CLI test-commands are intended for diagnostic use only. Access to these commands is not required
during normal system operation. These commands are intended for use by Cisco TAC personnel only. Some of these
commands can slow system performance, drop subscribers, and/or render the system inoperable.
commands can slow system performance, drop subscribers, and/or render the system inoperable.
Enabling cli test-commands Mode
To display hidden commands, the user must log into the CLI as a Security Administrator and go to the Global
Configuration mode.
Configuration mode.
Enter cli hidden to enable the use of hidden commands.
This command sequence is shown below.
[local]asr5500# config
[local]asr5500(config)# cli hidden
[local]asr5500(config)#
[local]asr5500(config)# cli hidden
[local]asr5500(config)#
Important:
Low-level diagnostic and test commands/keywords will now be visible to a user with Administrator
or higher privilege. There is no visual indication on the CLI that the test-commands mode has been enabled.
Enabling Password for Access to CLI-test commands
A Security Administrator can set a plain-text or encrypted password for access to CLI test commands. The password
value is stored in /flash along with the boot configuration information. The show configuration and save configuration
commands will never output this value.
value is stored in /flash along with the boot configuration information. The show configuration and save configuration
commands will never output this value.
The Global Configuration mode command tech-support test-commands [encrypted] password password sets an
encrypted or plain-text password for access to CLI test-commands.
encrypted or plain-text password for access to CLI test-commands.
This command sequence is shown below.
[local]asr5500# config
[local]asr5500(config)# tech-support test-commands password password
[local]asr5500(config)#
[local]asr5500(config)# tech-support test-commands password password
[local]asr5500(config)#
When a test-commands password is enabled, the Global Configuration mode command cli test-commands [encrypted]
password password requires the entry of the password keyword. If the encrypted keyword is specified, the password
argument is interpreted as an encrypted string containing the password value. If the encrypted keyword is not specified,
the password argument is interpreted as the actual plain text value
password password requires the entry of the password keyword. If the encrypted keyword is specified, the password
argument is interpreted as an encrypted string containing the password value. If the encrypted keyword is not specified,
the password argument is interpreted as the actual plain text value
Important:
If tech-support test-commands password is never configured, cli-test commands will always fail.
If the password keyword is not entered for cli test-commands, the user is prompted (no-echo) to enter the password.
Also, cli hidden must be enabled by a Security Administrator to access the CLI test-commands.
Also, cli hidden must be enabled by a Security Administrator to access the CLI test-commands.