Re: Looking Glass Code

[Rafi Sadowsky <rafi-nanog () meron openu ac il>]

Hi Ariel

 If you really want to get paranoid - give the rsh privilege level 0 &
then you really get to specify exactly what IOS commands can be run by the
Looking Glass

Regards
        Rafi

P.S. AFAIK Cisco IOS SSH will only do telnet/rlogin type sessions - not
single commands - for the really paranoid set up the telnet/rsh connection
over encrypted IPSEC ;-)

On Tue, 13 Mar 2001, Ariel Biener wrote:

> On Mon, 12 Mar 2001, Don Simpson wrote:
>
>
> I have posted a list of such resources a while back (you can either look
> it up in the archives, or I'll send it to you in private).
>
> About your concerns, I don't think automated telnet/ssh access (using some
> script, which means you'll be storing the password for access somewhere on
> the disk, either as a different file, or as a part of the code) is more
> secure than rsh to a router with privilege level 1 (you can create a user,
> and using the aaa new-model authentication model, you can create a
> privilege level for that user, specifying exactly what commands that user
> is allowed to use) for example.
>
> --Ariel
>
> > I have been thinking about putting together a looking glass site on my
> > network and have looked at Ed Kern's (DIGEX) html and perl script but do not
> > want to enable rsh (anywhere) and do not want to reinvent the wheel if not
> > necessary. Has anyone seenan updated script written to use other access
> > means like telnet or ssh to exchange CLI/commands and results with an IOS
> > router?
> >
> > ----------------------------------------------
> > Don Simpson
> > ----------------------------------------------
>
> --
> Ariel Biener
> e-mail: ariel () post tau ac il
> PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html