[13306] in North American Network Operators' Group
Re: OK.
daemon@ATHENA.MIT.EDU (Alex Rubenstein)
Sat Nov 1 23:50:30 1997
Date: Sat, 1 Nov 1997 23:40:56 -0500 (EST)
From: Alex Rubenstein <alex@nac.net>
To: Alan Hannan <hannan@bythetrees.com>
cc: nanog@merit.edu
In-Reply-To: <19971025125015.46770@freedom.bythetrees.com>
>
> It's my opinion first and foremost that you are not a moron.
Thanks.
>
> Moreover, and keeping with the operational charter of the newsgroup, I
> would not recommend that folks enable r* commands on their cisco
> routers.
I have been thinking about this; and, I can't figure out why. If you can
in the cisco specifically tell it which machines to listen to for rsh
connections, and specifically tell it not to allow any enable commands,
how can it be bad?
> When automated access is required, automating access with stored
> passwords can be done quite handily.
I have a couple problems with this; one, the password is stored on disk,
somewhere. Two; what if the password is changed? Or different on each box?
That is a royal pain in the ass. Three; It seems that rsh/rcmd connections
are *way* faster than a telnet/login/whatever/exit routine -- at least in
my experience.
> While one must focus on protecting the sanctity of the stored
> passwords, one doesn't have to focus on the security of forged r*
> logins. Protecting something within a host, rather than a network
> segment, is probably simpler in this case than the converse.
>
I look forward to more comments.
