Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RANCID>
  3. Users
platforms that support rsh
heas at shrubbery
Jun 8, 2005, 7:36 AM
Post #1 of 4 (678 views)
Permalink
Can anyone verify whether the following platforms support rsh logins:

alogin alteon
blogin bay networks/nortel
flogin foundry afaik, telnet/ssh only
hlogin hp procurves afaik, telnet/ssh only
htlogin hitatchi htlogin only supports telnet
nlogin netscreen
tntlogin TNT

does netscaler support telnet or rsh?
nslogin netscaler
platforms that support rsh [ In reply to ]
andre at is
Jun 8, 2005, 2:31 PM
Post #2 of 4 (666 views)
Permalink
On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote:
> Can anyone verify whether the following platforms support rsh logins:
>
> alogin alteon
> blogin bay networks/nortel
> flogin foundry afaik, telnet/ssh only
> hlogin hp procurves afaik, telnet/ssh only
> htlogin hitatchi htlogin only supports telnet
> nlogin netscreen
> tntlogin TNT
>
> does netscaler support telnet or rsh?
> nslogin netscaler

Hi

Hope I am not out of line here.

Would it also be worth asking if Kerberized rsh, rlogin and telnet are=20
available on these devices. As it is rsh is the least secure way to=20
pull important data from your devices/ allow access to them. Should the
standard rsh/rlogin method be encouraged, or would it be implemented with
the caution ?


-Andre

Andre van der Merwe
Network Engineer
Internet Solutions
E-mail: andre at is.co.za
Web: www.is.co.za
platforms that support rsh [ In reply to ]
heas at shrubbery
Jun 9, 2005, 4:39 PM
Post #3 of 4 (661 views)
Permalink
Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe:
> On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote:
> > Can anyone verify whether the following platforms support rsh logins:
> >
> > alogin alteon
> > blogin bay networks/nortel
> > flogin foundry afaik, telnet/ssh only
> > hlogin hp procurves afaik, telnet/ssh only
> > htlogin hitatchi htlogin only supports telnet
> > nlogin netscreen
> > tntlogin TNT
> >
> > does netscaler support telnet or rsh?
> > nslogin netscaler
>
> Hi
>
> Hope I am not out of line here.
>
> Would it also be worth asking if Kerberized rsh, rlogin and telnet are
> available on these devices. As it is rsh is the least secure way to
> pull important data from your devices/ allow access to them. Should the standard
> rsh/rlogin method be encouraged, or would it be implemented with the caution ?
>

it's been quite some time since I've used kerberos, but iirc...how would
rancid get it's ticket (or how would you manually issue one and hand it off;
it writes a file in ~, right?) and how would the ticket get renewed? are
folks actually using kerberized AAA? does cisco (or any other) actually
support kerberized rsh?

Not to trash the idea, but other than an encrypted rsh, using kerberos
doesn't seem much different from using ssh and .cloginrc; if your rancid or
kerberos hosts are hacked, the intruder has access. of course, if your AAA
server is hacked, an intruder has access to your routers whether you're
using cloginrc or securid for authentication or whatever.

How far are you willing to go? I don't know of any way to avoid the
inevitable trade-off between security and automation. you have to choose
wisely; though they have their place, I don't believe rsh or telnet are wise
choices in general. And, there is nothing to stop you from putting a
firewall of some sort in front of your hosts. Or take it beyond reason; add
ipsec tunnels from your management host (or firewall) to every device in your
network.

I'm suprised kerberos hasnt met the dodo yet. seriously, if your equipment
doesnt support ssh, complain to your vendor with your check-book.
platforms that support rsh [ In reply to ]
eravin at panix
Jun 10, 2005, 7:58 AM
Post #4 of 4 (667 views)
Permalink
On Fri, Jun 10, 2005 at 12:39:32AM +0000, john heasley wrote:
> Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe:

> > Would it also be worth asking if Kerberized rsh, rlogin and telnet are
> > available on these devices. As it is rsh is the least secure way to
> > pull important data from your devices/ allow access to them.

Every Kerberized rsh implementation I've seen only uses encryption
for authentication - the traffic is still in the clear. Kerberized
telnet can also work this way if you don't turn on data encryption.
And some Kerberized telnet clients, even when you tell them to use
encryption, may silently switch you to cleartext if the encryption
negotiations fail. So be careful out there - if you think you're
encrypting something over the net, verify it with tcpdump or the like.

> it's been quite some time since I've used kerberos, but iirc...how would
> rancid get it's ticket (or how would you manually issue one and hand it off;
> it writes a file in ~, right?) and how would the ticket get renewed?

I suppose you could automate that with a separate batch job - hardcode the
Kerberos password somewhere and call kinit every N hours to renew the
ticket. And there may be some other features of Kerberos that you could
use for this (I vaguely recall something about "service principals".

-- Ed

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal