[35551] in North American Network Operators' Group
Re: Looking Glass Code
daemon@ATHENA.MIT.EDU (Rafi Sadowsky)
Tue Mar 13 07:37:56 2001
Date: Tue, 13 Mar 2001 14:35:31 +0200 (IST)
From: Rafi Sadowsky <rafi-nanog@meron.openu.ac.il>
Reply-To: <nanog@merit.edu>
To: Ariel Biener <ariel@fireball.tau.ac.il>
Cc: Don Simpson <don.simpson@factory23.com>, <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21_heb2.09.0103130312110.15717-100000@fireball.tau.ac.il>
Message-ID: <Pine.GSO.4.31.0103131426100.9269-100000@meron.openu.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Hi Ariel
If you really want to get paranoid - give the rsh privilege level 0 &
then you really get to specify exactly what IOS commands can be run by the
Looking Glass
Regards
Rafi
P.S. AFAIK Cisco IOS SSH will only do telnet/rlogin type sessions - not
single commands - for the really paranoid set up the telnet/rsh connection
over encrypted IPSEC ;-)
On Tue, 13 Mar 2001, Ariel Biener wrote:
>
> On Mon, 12 Mar 2001, Don Simpson wrote:
>
>
> I have posted a list of such resources a while back (you can either look
> it up in the archives, or I'll send it to you in private).
>
> About your concerns, I don't think automated telnet/ssh access (using some
> script, which means you'll be storing the password for access somewhere on
> the disk, either as a different file, or as a part of the code) is more
> secure than rsh to a router with privilege level 1 (you can create a user,
> and using the aaa new-model authentication model, you can create a
> privilege level for that user, specifying exactly what commands that user
> is allowed to use) for example.
>
> --Ariel
>
> >
> > I have been thinking about putting together a looking glass site on my
> > network and have looked at Ed Kern's (DIGEX) html and perl script but do not
> > want to enable rsh (anywhere) and do not want to reinvent the wheel if not
> > necessary. Has anyone seenan updated script written to use other access
> > means like telnet or ssh to exchange CLI/commands and results with an IOS
> > router?
> >
> > ----------------------------------------------
> > Don Simpson
> > ----------------------------------------------
> >
> >
> >
>
> --
> Ariel Biener
> e-mail: ariel@post.tau.ac.il
> PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
>
>
>
