A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the
rsh-enable command. To enable the router to act as an rcp server, issue the
rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX
.rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the
enable keyword and level. For information on the enable level, refer to the
level global configuration command in the
Release 12.2 Cisco IOS Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX
.rhostsfile in the following aspect. Because the
.rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX
.rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host’s name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the
domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.