I am a moron; I can't figure it out. How do you make a cisco so that you can rsh into it (to use Mr. Kerns looking glass)? TIA>
On Fri, Oct 24, 1997 at 11:26:16PM -0400, Alex Rubenstein wrote:
I am a moron; I can't figure it out.
How do you make a cisco so that you can rsh into it (to use Mr. Kerns looking glass)?
Check out the 'ip rcmd' commands in 11.1 and later (specifically, ip rcmd rsh-enable) Alec -- +------------------------------------+--------------------------------------+ |Alec Peterson - ahp@hilander.com | Erols Internet Services, INC. | |Network Engineer | Springfield, VA. | +------------------------------------+--------------------------------------+
It's my opinion first and foremost that you are not a moron. Moreover, and keeping with the operational charter of the newsgroup, I would not recommend that folks enable r* commands on their cisco routers. When automated access is required, automating access with stored passwords can be done quite handily. While one must focus on protecting the sanctity of the stored passwords, one doesn't have to focus on the security of forged r* logins. Protecting something within a host, rather than a network segment, is probably simpler in this case than the converse. $0.02. Most web page access, odd-statistics gathering, and ease-of-use tools with which I am familiar use ^expect^ to implement such. -alan Quoting Alex Rubenstein (alex@nac.net):
I am a moron; I can't figure it out.
How do you make a cisco so that you can rsh into it (to use Mr. Kerns looking glass)?
TIA>
Most web page access, odd-statistics gathering, and ease-of-use tools with which I am familiar use ^expect^ to implement such.
One such example would be MCI's "pollem", available at ftp://ftp.mci.net/outgoing/pollem "pollem" is a perl script that will log into a Cisco, pull a copy of the on-line config, and compare it with a previously pulled config (for things like network audits, etc). It can be changed to execute any command that the logged in user has privledge for. http://www.security.mci.net/dostrack ================================================================ Dale Drew MCI Telecommunications Sr. Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 At 12:50 PM 10/25/97 -0400, Alan Hannan wrote:
It's my opinion first and foremost that you are not a moron.
Moreover, and keeping with the operational charter of the newsgroup, I would not recommend that folks enable r* commands on their cisco routers.
When automated access is required, automating access with stored passwords can be done quite handily.
While one must focus on protecting the sanctity of the stored passwords, one doesn't have to focus on the security of forged r* logins. Protecting something within a host, rather than a network segment, is probably simpler in this case than the converse.
$0.02.
Most web page access, odd-statistics gathering, and ease-of-use tools with which I am familiar use ^expect^ to implement such.
-alan
Quoting Alex Rubenstein (alex@nac.net):
I am a moron; I can't figure it out.
How do you make a cisco so that you can rsh into it (to use Mr. Kerns looking glass)?
TIA>
It's my opinion first and foremost that you are not a moron.
Thanks.
Moreover, and keeping with the operational charter of the newsgroup, I would not recommend that folks enable r* commands on their cisco routers.
I have been thinking about this; and, I can't figure out why. If you can in the cisco specifically tell it which machines to listen to for rsh connections, and specifically tell it not to allow any enable commands, how can it be bad?
When automated access is required, automating access with stored passwords can be done quite handily.
I have a couple problems with this; one, the password is stored on disk, somewhere. Two; what if the password is changed? Or different on each box? That is a royal pain in the ass. Three; It seems that rsh/rcmd connections are *way* faster than a telnet/login/whatever/exit routine -- at least in my experience.
While one must focus on protecting the sanctity of the stored passwords, one doesn't have to focus on the security of forged r* logins. Protecting something within a host, rather than a network segment, is probably simpler in this case than the converse.
I look forward to more comments.
Moreover, and keeping with the operational charter of the newsgroup, I would not recommend that folks enable r* commands on their cisco routers.
I have been thinking about this; and, I can't figure out why. If you can in the cisco specifically tell it which machines to listen to for rsh connections, and specifically tell it not to allow any enable commands, how can it be bad?
Well, if its possible to r* into a router, its possible to take advantage of a mistake by an administrator (forgetting to disable a service or temporarily enabling it and forgetting to AGAIN disable it) and get into the router. I think the primary reason for disabling r* commands is not so much because of inherrint problems but more to close potential holes and prevent accidents. ---------------------------------------------------------------------- Wayne Bouchard GlobalCenter web@primenet.com Primenet Network Operations Internet Solutions for (602) 416-6422 800-373-2499 x6422 Growing Businesses FAX: (602) 416-9422 http://www.primenet.com http://www.globalcenter.net ----------------------------------------------------------------------
Alex Rubenstein wrote:
I am a moron; I can't figure it out.
How do you make a cisco so that you can rsh into it (to use Mr. Kerns looking glass)?
TIA>
Lets create a moron's mailing list, I cannot find it either.. -- Leigh Porter - Wisper Bandwidth Plc - http://www.wisper.net GeekCode - http://saratoga.wisper.net:9999/~leigh/ Set UR PC 3 - http://www.linux.org
participants (6)
-
Alan Hannan
-
Alec H. Peterson
-
Alex Rubenstein
-
Dale Drew
-
Leigh Porter
-
Wayne Bouchard