ip rcmd domain-lookup
To reenable the basic DNS security check for rcp and rsh, use the ip rcmd domain-lookup global configuration command. To disable the basic DNS security check for rcp and rsh, use the no form of this command.
ip rcmd domain-lookup
no ip rcmd domain-lookup
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
The abbreviation RCMD (remote command) is used to indicate both rsh and rcp.
DNS lookup for RCMD is enabled by default (provided general DNS services are enabled on the system using the ip domain-lookup command).
The no ip rcmd domain-lookup command is used to disable the DNS lookup for RCMD. The ip rcmd domain-lookup command is used to reenable the DNS lookup for RCMD.
DNS lookup for RCMD is performed as a basic security check. This check is performed using a host authentication process. When enabled, the system records the address of the requesting client. That address is mapped to a host name using DNS. Then a DNS request is made for the IP address for that host name. The IP address received is then checked against the original requesting address. If the address does not match with any of the addresses received from DNS, the RCMD request will not be serviced.
This reverse lookup is intended to help protect against spoofing. However, please note that the process only confirms that the IP address is a valid "routable" address; it is still possible for a hacker to spoof the valid IP address of a known host.
The DNS lookup is done after the TCP handshake but before the router (which is acting as a rsh/rcp server) sends any data to the remote client.
The no ip rcmd domain-lookup will turn off DNS lookups for rsh and rcp only. The no ip domain-lookup command takes precedence over the ip rcmd domain-lookup command. This means that if the no ip domain-lookup command is in the current configuration, DNS will be bypassed for rcp and rsh even if the ip rcmd domain-lookup command is enabled.
Examples
In the following example, the DNS security check is disabled for RCMD (rsh/rcp):
Router(config)# no ip rcmd domain-lookup
Related Commands
ip rcmd rcp-enable
To configure the Cisco IOS software to allow remote users to copy files to and from the router using remote copy (rcp), use the ip rcmd rcp-enable global configuration command. To disable rcp on the device, use the no form of this command.
ip rcmd rcp-enable
no ip rcmd rcp-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rcp by default.
Command Modes
Global configuration
Command History
Usage Guidelines
To allow a remote user to execute rcp commands on the router, you must also create an entry for the remote user in the local authentication database using the ip rcmd remote-hostcommand.
The no ip rcmd rcp-enable command does not prohibit a local user from using rcp to copy system images and configuration files to and from the router.
To protect against unauthorized users copying the system image or configuration files, the router is not enabled for rcp by default.
Examples
In the following example, the rcp service is enabled on the system, the IP address assigned to the Loopback0 interface is used as the source address for outbound rcp and rsh packets, and access is granted to the user "netadmin3"on the remote host 172.16.101.101:
Router(config)# ip rcmd rcp-enable
Router(config)# ip rcmd source-interface Loopback0
Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3
Related Commands
|
Command
|
Description
|
|---|---|
| Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp. |
ip rcmd remote-host
To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp, use the ip rcmd remote-hostcommand in global configuration mode. To remove an entry for a remote user from the local authentication database, use the no form of this command.
ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
no ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
Syntax Description
Defaults
No entries are in the local authentication database.
Command Modes
Global configuration
Command History
Usage Guidelines
A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the ip rcmd rsh-enable command. To enable the router to act as an rcp server, issue the ip rcmd rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Release 12.2 Cisco IOS Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX .rhosts file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
Examples
The following example allows the remote user named netadmin3 on a remote host with the IP address 172.16.101.101 to execute commands on router1 using the rsh or rcp protocol. User netadmin3 is allowed to execute commands in privileged EXEC mode.
ip rcmd remote-host router1 172.16.101.101 netadmin3 enable
Related Commands
ip rcmd remote-username
To configure the remote username to be used when requesting a remote copy using rcp, use the ip rcmd remote-username global configuration command. To remove from the configuration the remote username, use the no form of this command.
ip rcmd remote-username username
no ip rcmd remote-username username
Syntax Description
Defaults
If you do not issue this command, the Cisco IOS software sends the remote username associated with the current tty process, if that name is valid, for rcp copy commands. For example, if the user is connected to the router through Telnet and the user was authenticated through the username command, then the software sends that username as the remote username.
Note 
The remote username must be associated with an account on the destination server.
If the username for the current tty process is not valid, the Cisco IOS software sends the host name as the remote username. For rcp boot commands, the Cisco IOS software sends the access server host name by default.
Note For Cisco, tty lines are commonly used for access services. The concept of tty originated with UNIX. For UNIX systems, each physical device is represented in the file system. Terminals are called tty devices (tty stands for teletype, the original UNIX terminal).
Command Modes
Global configuration
Command History
Usage Guidelines
The rcp protocol requires that a client send the remote username on an rcp request to the server. Use this command to specify the remote username to be sent to the server for an rcp copy request. If the server has a directory structure, as do UNIX systems, all files and images to be copied are searched for or written relative to the directory of the remote user's account.
Note Cisco IOS Release 10.3 added the ip keyword to rcmd commands. If you are upgrading from Release 10.2 to Release 10.3 or a later release, this keyword is automatically added to any rcmd commands you have in your Release 10.2 configuration files.
Examples
The following example configures the remote username to netadmin1:
ip rcmd remote-username netadmin1
Related Commands
ip rcmd rsh-enable
To configure the router to allow remote users to execute commands on it using rsh, use the ip rcmd rsh-enable global configuration command. To disable a router that is enabled for rsh, use the no form of this command.
ip rcmd rsh-enable
no ip rcmd rsh-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rsh by default.
Command Modes
Global configuration
Command History
Usage Guidelines
Remote Shell (rsh), used as a client process, gives users the ability to remotely get router info (such as status) without the need to connect into the router and then disconnect. This is valuable when looking at many statistics on many different routers.
Use this command to enable the router to receive rsh requests from remote users. In addition to issuing this command, you must create an entry for the remote user in the local authentication database to allow a remote user to execute rsh commands on the router.
The no ip rcmd rsh-enable command does not prohibit a local user of the router from executing a command on other routers and UNIX hosts on the network using rsh. The no form of this command only disables remote access to rsh on the router.
Examples
The following example enables a router as an rsh server:
ip rcmd rsh-enable
Related Commands
|
Command
|
Description
|
|---|---|
| Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp. |
ip rcmd source-interface
To force rcp or rsh to use the IP address of a specified interface for all outgoing rcp/rsh communication packets, use the ip rcmd source-interface command in global configuration mode. To disable a previously configured ip rcmd source-interface command, use the no form of this command.
ip rcmd source-interface interface-id
no ip rcmd source-interface interface-id
Syntax Description
Defaults
The address of the interface closest to the destination is used as the source interface for rcp/rsh communications.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not used, or if the interface specified in this command is not available (not up), the Cisco IOS software uses the address of the interface closest to the destination as the source address.
Use this command to force the system to tag all outgoing rcp/rsh packets with the IP address associated with the specified interface. This address is used as the source address as long as the interface is in the up state.
This command is especially useful in cases where the router has many interfaces, and you want to ensure that all rcp and/or rsh packets from this router have the same source IP address. A consistent address is preferred so that the other end of the connection (the rcp/rsh server or client) can maintain a single session. The other benefit of a consistent address is that an access list can be configured on the remote device.
The specified interface must have an IP address associated with it. If the specified interface does not have an IP address or is in a down state, then rcp/rsh reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
In the following example, the Loopback0 interface is assigned an IP address of 220.144.159.200, and the ip rcmd source-interface command is used to specify that the source IP address for all rcp/rsh packets will be the IP address assigned to the Loopback0 interface:
interface Loopback0
description Loopback interface
ip address 220.144.159.200 255.255.255.255
no ip directed-broadcast
!
. . .
clock timezone GMT 0
ip subnet-zero
no ip source-route
no ip finger
ip rcmd source-interface Loopback0
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password shhhhsecret
no ip bootp server
ip domain-name net.galaxy
ip name-server 220.144.159.1
ip name-server 220.144.159.2
ip name-server 219.10.2.1
!
. . .
扫一扫
4890
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
