North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: OK.
Mark, I would also agree that this is something that you don't want to deploy on your backbone routers. ;) If you look through the script there was a place for logging as far as web page commands sent to the router. I think when I first looked at the script it was commented out for some reason. Output looks like : www.goodyear.com 134.200.12.60 - - [Sun Oct 26 00:23:41 EDT 1997] trace www.fibernet.net The cisco command "ip rcmd remote-host usename ipaddr" I belive is to limit the rsh commands to one particular host/one particular user. Depending on your security paranoia level I suppose you could make it a non routable IP. Every time I have tried from somewhere else on the network to rsh into the router that isn't in the config I have gotten "Permission Denied". I suppose that is good but how much you can trust it has yet to be determined. We have one setup here in the lab on a 4700 which is trying to take a full BGP table on 32 Meg of RAM. You don't get all the enviro stats but when it sits four floors down who cares, its just a play toy anyway. :) T..S BTW : Back at ya Mr. Rishaw. On Sat, 25 Oct 1997, Mark Tripod wrote: > That is not true. You don't need to have a local user configured on the > router in order to use rsh or rcp. It is only needed if you aren't doing > some type of remote authentication like tacacs. I would however suggest > that you avoid rsh family commands on your routers. If you do feel that it > is essential to use them make sure to use tacacs and aaa acounting to log > all command transactions. To not do so is to ask for trouble. > > Mark Tripod > Exodus Communications > ---- > From: Jamie Rishaw <[email protected]> > To: Todd R. Stroup <[email protected]> > Cc: [email protected]; [email protected]; [email protected] > Date: Saturday, October 25, 1997 10:21 AM > Subject: Re: OK. > > You need to make sure that in 'ip rcmd' that you have local-username > defined to something that there is a 'username xxx' entry on the cisco > for. > > In other words, if you have (sorry syntax is probably not correct): > > ip rcmd remote-host joebob lookingglass.yourcompany.com daemon enable > > you have to have a > > 'username joebob' entry on the cisco as well. > > local-username means "apply the permissions of local-username when this > rsh > matches" > > and remote-username is the userid of whatever your cgi-bin runs as.. if > your > web server is setuid "daemon" and cgi-bins are daemon, it will only work > if you have 'daemon' as a remote-username in the ip rcmd command. > > HTH, > > -jamie > -- > jamie g.k. rishaw dal/efnet:gavroche __ IAGnet/CICNet/netILLINOIS > Netops > DID:216.902.5455 FAX:216.623.3566 \/ 800.637.4IAGx5455 > "It's like im being tied to the hood of a yellow rental truck being packed > in > with fertilizer and fuel oil.. pushed over a cliff by a suicidal mickey > mouse." >
|