Todd R. Stroup tstroup at fibernet.net
Sun Oct 26 16:49:25 UTC 1997

Mark, I would also agree that this is something that you don't want to
deploy on your backbone routers. ;) If you look through the script there
was a place for logging as far as web page commands sent to the 
router.  I think when I first looked at the script it was commented 
out for some reason.  Output looks like :

www.goodyear.com - - [Sun Oct 26 00:23:41 EDT 1997] trace www.fibernet.net

The cisco command "ip rcmd remote-host usename ipaddr" I belive is to
limit the rsh commands to one particular host/one particular user.
Depending on your security paranoia level I suppose you could make it a
non routable IP.  Every time I have tried from somewhere else on the
network to rsh into the router that isn't in the config I have gotten
"Permission Denied".  I suppose that is good but how much you can trust it 
has yet to be determined. 

We have one setup here in the lab on a 4700 which is trying to take a 
full BGP table on 32 Meg of RAM.  You don't get all the enviro stats but 
when it sits four floors down who cares, its just a play toy anyway.  :)


BTW : Back at ya Mr. Rishaw.

On Sat, 25 Oct 1997, Mark Tripod wrote:

> That is not true. You don't need to have a local user configured on the
> router in order to use rsh or rcp. It is only needed if you aren't doing
> some type of remote authentication like tacacs. I would however suggest
> that you avoid rsh family commands on your routers. If you do feel that it
> is essential to use them make sure to use tacacs and aaa acounting to log
> all command transactions. To not do so is to ask for trouble.
> Mark Tripod
> Exodus Communications
>  ----
> From: Jamie Rishaw <jamie at intuition.iagnet.net>
> To: Todd R. Stroup <tstroup at fibernet.net>
> Cc: cosmo at olywa.net; alex at nac.net; nanog at merit.edu
> Date: Saturday, October 25, 1997 10:21 AM
> Subject: Re: OK.
> You need to make sure that in 'ip rcmd' that you have local-username
> defined to something that there is a 'username xxx' entry on the cisco
> for.
> In other words, if you have (sorry syntax is probably not correct):
> ip rcmd remote-host joebob lookingglass.yourcompany.com daemon enable
> you have to have a
> 'username joebob' entry on the cisco as well.
> local-username means "apply the permissions of local-username when this
> rsh
> matches"
> and remote-username is the userid of whatever your cgi-bin runs as.. if
> your
> web server is setuid "daemon" and cgi-bins are daemon, it will only work
> if you have 'daemon' as a remote-username in the ip rcmd command.
> HTH,
> -jamie
> --
> jamie g.k. rishaw  dal/efnet:gavroche  __    IAGnet/CICNet/netILLINOIS
> Netops
> DID:216.902.5455 FAX:216.623.3566      \/            800.637.4IAGx5455
> "It's like im being tied to the hood of a yellow rental truck being packed
> in
> with fertilizer and fuel oil.. pushed over a cliff by a suicidal mickey
> mouse." 

More information about the NANOG mailing list