Table Of Contents
ACL Authentication of Incoming rsh and rcp Requests
ACL Authentication of Incoming rsh and rcp Requests
Feature History
This document describes the ACL Authentication of Incoming RSH and RCP Requests feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
Feature Overview
To enable the Cisco IOS software to receive incoming remote shell (rsh) protocol and remote copy (rcp) protocol requests, customers must configure an authentication database to control access to the router. This configuration is accomplished by using the ip rcmd remote-host command.
Currently, when using this command, customers must specify the local user, the remote host, and the remote user in the database authentication configuration. For users who can execute commands to the router from multiple hosts, multiple database authentication configuration entries must be used, one for each host, as shown below.
ip rcmd remote-host local-user1 remote-host1 remote-user1ip rcmd remote-host local-user1 remote-host2 remote-user1ip rcmd remote-host local-user1 remote-host3 remote-user1ip rcmd remote-host local-user1 remote-host4 remote-user1This feature allows customers to specify an access list for a given user. The access list identifies the hosts to which the user has access. A new argument, access-list, has been added that can be used with this command to specify the access list, as shown below.
ip rcmd remote-host local-user1 access-list remote-user1To allow a user access to the hosts identified in the access list, first define the access list. If the access list is not already defined, access to the host will be denied. For information about defining an access list, refer to the Cisco IOS Security Configuration Guide, Release 12.2.
For more information about using the modified ip rcmd remote-host command, see the "Command Reference" section later in this document.
Related Documents
•
Cisco IOS Configuration Fundamentals Command Reference, Release 12.2
•
•
Supported Platforms
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Command Reference
This section documents the modified ip rcmd remote-host command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
ip rcmd remote-host
To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using remote shell (rsh) or remote copy (rcp) protocol requests, use the ip rcmd remote-host command in global configuration mode. To remove an entry for a remote user from the local authentication database, use the no form of this command.
ip rcmd remote-host local-username {ip-address | host | access-list} remote-username [enable [level]]
no ip rcmd remote-host local-username {ip-address | host | access-list} remote-username [enable [level]]
Syntax Description
Defaults
No entries are in the local authentication database.
Command Modes
Global configuration
Command History
10.3
This command was introduced.
12.2(8)T
This command was modified to allow use of access lists when specifying multiple hosts for specific users.
Usage Guidelines
A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using Domain Name System (DNS) or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the ip rcmd rsh-enable global configuration command. To enable the router to act as an rcp server, enter the ip rcmd rcp-enable command. The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Release 12.2 Cisco IOS Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX .rhosts file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
For a remote user who can execute commands from multiple hosts, you can use an access list to specify the remote hosts to which the user has access. The access list identifies the hosts by either host name or address. The access list must already be defined; otherwise, the user will be denied access to the host. For information about defining and creating access lists, refer to the Cisco IOS Security Configuration Guide, Release 12.2.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the name and address of the remote host. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup global configuration command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, the DNS security check is bypassed, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
Examples
The following example allows the remote user named netadmin3 on a remote host with the IP address 172.16.101.101 to execute commands on router1 using the rsh or rcp protocol. User netadmin3 is allowed to execute commands in privileged EXEC mode.
ip rcmd remote-host router1 172.16.101.101 netadmin3 enableThe following example specifies an access list 1 for user netadmin3. The access list contains the remote hosts that user netadmin3 can use to execute commands. User netadmin3 is allowed to execute commands in privileged EXEC mode.
ip rcmd remote-host router1 172.16.101.101 access-list 1 netadmin3 enableRelated Commands