That is not true. You don't need to have a local user configured on the
router in order to use rsh or rcp. It is only needed if you aren't doing
some type of remote authentication like tacacs. I would however suggest
that you avoid rsh family commands on your routers. If you do feel that it
is essential to use them make sure to use tacacs and aaa acounting to log
all command transactions. To not do so is to ask for trouble.

Mark Tripod
Exodus Communications

Mark, I would also agree that this is something that you don't want to
deploy on your backbone routers. :wink: If you look through the script there
was a place for logging as far as web page commands sent to the
router. I think when I first looked at the script it was commented
out for some reason. Output looks like :

www.goodyear.com - - [Sun Oct 26 00:23:41 EDT 1997] trace www.fibernet.net

The cisco command "ip rcmd remote-host usename ipaddr" I belive is to
limit the rsh commands to one particular host/one particular user.
Depending on your security paranoia level I suppose you could make it a
non routable IP. Every time I have tried from somewhere else on the
network to rsh into the router that isn't in the config I have gotten
"Permission Denied". I suppose that is good but how much you can trust it
has yet to be determined.

We have one setup here in the lab on a 4700 which is trying to take a
full BGP table on 32 Meg of RAM. You don't get all the enviro stats but
when it sits four floors down who cares, its just a play toy anyway. :slight_smile:


BTW : Back at ya Mr. Rishaw.