platforms that support rsh

john heasley heas at shrubbery.net
Fri Jun 10 00:39:32 UTC 2005


Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe:
> On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote:
> > Can anyone verify whether the following platforms support rsh logins:
> > 
> > alogin	alteon
> > blogin	bay networks/nortel
> > flogin	foundry				afaik, telnet/ssh only
> > hlogin	hp procurves			afaik, telnet/ssh only
> > htlogin	hitatchi			htlogin only supports telnet
> > nlogin	netscreen
> > tntlogin TNT
> > 
> > does netscaler support telnet or rsh?
> > nslogin	netscaler
> 
> Hi
> 
> Hope I am not out of line here.
> 
> Would it also be worth asking if Kerberized rsh, rlogin and telnet are 
> available on these devices. As it is rsh is the least secure way to 
> pull important data from your devices/ allow access to them. Should the standard 
> rsh/rlogin method be encouraged, or would it be implemented with the caution ?
> 

it's been quite some time since I've used kerberos, but iirc...how would
rancid get it's ticket (or how would you manually issue one and hand it off;
it writes a file in ~, right?) and how would the ticket get renewed?  are
folks actually using kerberized AAA?  does cisco (or any other) actually
support kerberized rsh?

Not to trash the idea, but other than an encrypted rsh, using kerberos
doesn't seem much different from using ssh and .cloginrc; if your rancid or
kerberos hosts are hacked, the intruder has access.  of course, if your AAA
server is hacked, an intruder has access to your routers whether you're
using cloginrc or securid for authentication or whatever.

How far are you willing to go?  I don't know of any way to avoid the
inevitable trade-off between security and automation.  you have to choose
wisely; though they have their place, I don't believe rsh or telnet are wise
choices in general.  And, there is nothing to stop you from putting a
firewall of some sort in front of your hosts.  Or take it beyond reason; add
ipsec tunnels from your management host (or firewall) to every device in your
network.

I'm suprised kerberos hasnt met the dodo yet.  seriously, if your equipment
doesnt support ssh, complain to your vendor with your check-book.



More information about the Rancid-discuss mailing list