Alex Rubenstein alex at nac.net
Sun Nov 2 04:40:56 UTC 1997

>   It's my opinion first and foremost that you are not a moron.


>   Moreover, and keeping with the operational charter of the newsgroup, I 
>   would not recommend that folks enable r* commands on their cisco
>   routers.

I have been thinking about this; and, I can't figure out why. If you can
in the cisco specifically tell it which machines to listen to for rsh
connections, and specifically tell it not to allow any enable commands,
how can it be bad?

>   When automated access is required, automating access with stored
>   passwords can be done quite handily.

I have a couple problems with this; one, the password is stored on disk,
somewhere. Two; what if the password is changed? Or different on each box?
That is a royal pain in the ass. Three; It seems that rsh/rcmd connections
are *way* faster than a telnet/login/whatever/exit routine -- at least in
my experience. 

>   While one must focus on protecting the sanctity of the stored
>   passwords, one doesn't have to focus on the security of forged r*
>   logins.  Protecting something within a host, rather than a network
>   segment, is probably simpler in this case than the converse.

I look forward to more comments.

More information about the NANOG mailing list