nanog mailing list archives

Re: OK.

From: "Todd R. Stroup" <tstroup () fibernet net>
Date: Sun, 26 Oct 1997 11:49:25 -0500 (EST)


Mark, I would also agree that this is something that you don't want to
deploy on your backbone routers. ;) If you look through the script there
was a place for logging as far as web page commands sent to the 
router.  I think when I first looked at the script it was commented 
out for some reason.  Output looks like :

www.goodyear.com 134.200.12.60 - - [Sun Oct 26 00:23:41 EDT 1997] trace www.fibernet.net

The cisco command "ip rcmd remote-host usename ipaddr" I belive is to
limit the rsh commands to one particular host/one particular user.
Depending on your security paranoia level I suppose you could make it a
non routable IP.  Every time I have tried from somewhere else on the
network to rsh into the router that isn't in the config I have gotten
"Permission Denied".  I suppose that is good but how much you can trust it 
has yet to be determined. 

We have one setup here in the lab on a 4700 which is trying to take a 
full BGP table on 32 Meg of RAM.  You don't get all the enviro stats but 
when it sits four floors down who cares, its just a play toy anyway.  :)

T..S

BTW : Back at ya Mr. Rishaw.


On Sat, 25 Oct 1997, Mark Tripod wrote:

That is not true. You don't need to have a local user configured on the
router in order to use rsh or rcp. It is only needed if you aren't doing
some type of remote authentication like tacacs. I would however suggest
that you avoid rsh family commands on your routers. If you do feel that it
is essential to use them make sure to use tacacs and aaa acounting to log
all command transactions. To not do so is to ask for trouble.

Mark Tripod
Exodus Communications
 ----
From: Jamie Rishaw <jamie () intuition iagnet net>
To: Todd R. Stroup <tstroup () fibernet net>
Cc: cosmo () olywa net; alex () nac net; nanog () merit edu
Date: Saturday, October 25, 1997 10:21 AM
Subject: Re: OK.

You need to make sure that in 'ip rcmd' that you have local-username
defined to something that there is a 'username xxx' entry on the cisco
for.

In other words, if you have (sorry syntax is probably not correct):

ip rcmd remote-host joebob lookingglass.yourcompany.com daemon enable

you have to have a

'username joebob' entry on the cisco as well.

local-username means "apply the permissions of local-username when this
rsh
matches"

and remote-username is the userid of whatever your cgi-bin runs as.. if
your
web server is setuid "daemon" and cgi-bins are daemon, it will only work
if you have 'daemon' as a remote-username in the ip rcmd command.

HTH,

-jamie
--
jamie g.k. rishaw  dal/efnet:gavroche  __    IAGnet/CICNet/netILLINOIS
Netops
DID:216.902.5455 FAX:216.623.3566      \/            800.637.4IAGx5455
"It's like im being tied to the hood of a yellow rental truck being packed
in
with fertilizer and fuel oil.. pushed over a cliff by a suicidal mickey
mouse."

Current thread:

OK. Alex Rubenstein (Oct 24)
- Re: OK. Alec H. Peterson (Oct 24)
- Re: OK. Alan Hannan (Oct 25)
  - Re: OK. Dale Drew (Oct 25)
- Re: OK. Leigh Porter (Oct 27)
- <Possible follow-ups>
- Re: OK. Jay Stewart (Oct 24)
  - Re: OK. Todd R. Stroup (Oct 24)
- Re: OK. Mark Tripod (Oct 25)
  - Re: OK. Todd R. Stroup (Oct 26)