OK.
Todd R. Stroup
tstroup at fibernet.net
Sun Oct 26 16:49:25 UTC 1997
Mark, I would also agree that this is something that you don't want to
deploy on your backbone routers. ;) If you look through the script there
was a place for logging as far as web page commands sent to the
router. I think when I first looked at the script it was commented
out for some reason. Output looks like :
www.goodyear.com 134.200.12.60 - - [Sun Oct 26 00:23:41 EDT 1997] trace www.fibernet.net
The cisco command "ip rcmd remote-host usename ipaddr" I belive is to
limit the rsh commands to one particular host/one particular user.
Depending on your security paranoia level I suppose you could make it a
non routable IP. Every time I have tried from somewhere else on the
network to rsh into the router that isn't in the config I have gotten
"Permission Denied". I suppose that is good but how much you can trust it
has yet to be determined.
We have one setup here in the lab on a 4700 which is trying to take a
full BGP table on 32 Meg of RAM. You don't get all the enviro stats but
when it sits four floors down who cares, its just a play toy anyway. :)
T..S
BTW : Back at ya Mr. Rishaw.
On Sat, 25 Oct 1997, Mark Tripod wrote:
> That is not true. You don't need to have a local user configured on the
> router in order to use rsh or rcp. It is only needed if you aren't doing
> some type of remote authentication like tacacs. I would however suggest
> that you avoid rsh family commands on your routers. If you do feel that it
> is essential to use them make sure to use tacacs and aaa acounting to log
> all command transactions. To not do so is to ask for trouble.
>
> Mark Tripod
> Exodus Communications
> ----
> From: Jamie Rishaw <jamie at intuition.iagnet.net>
> To: Todd R. Stroup <tstroup at fibernet.net>
> Cc: cosmo at olywa.net; alex at nac.net; nanog at merit.edu
> Date: Saturday, October 25, 1997 10:21 AM
> Subject: Re: OK.
>
> You need to make sure that in 'ip rcmd' that you have local-username
> defined to something that there is a 'username xxx' entry on the cisco
> for.
>
> In other words, if you have (sorry syntax is probably not correct):
>
> ip rcmd remote-host joebob lookingglass.yourcompany.com daemon enable
>
> you have to have a
>
> 'username joebob' entry on the cisco as well.
>
> local-username means "apply the permissions of local-username when this
> rsh
> matches"
>
> and remote-username is the userid of whatever your cgi-bin runs as.. if
> your
> web server is setuid "daemon" and cgi-bins are daemon, it will only work
> if you have 'daemon' as a remote-username in the ip rcmd command.
>
> HTH,
>
> -jamie
> --
> jamie g.k. rishaw dal/efnet:gavroche __ IAGnet/CICNet/netILLINOIS
> Netops
> DID:216.902.5455 FAX:216.623.3566 \/ 800.637.4IAGx5455
> "It's like im being tied to the hood of a yellow rental truck being packed
> in
> with fertilizer and fuel oil.. pushed over a cliff by a suicidal mickey
> mouse."
>
More information about the NANOG
mailing list