[f-nsp] Disabling debug?

Wed Nov 1 15:29:56 EST 2006

* jabley at ca.afilias.info (Joe Abley) [Wed 01 Nov 2006, 21:12 CET]:
>I think it's a reasonable to put to vendors as to why such commands 
>like "debug all" exist at all.
>
>The only time those commands are safe to execute are when the router 
>is doing precisely nothing at all, in which case there's arguably no 
>value to be gained from trying to debug anything in the first place.

They exist because there are situations in which you need them.

For the cases that you don't and/or don't trust yourself not to find 
them, vendors offer various ways to restrict the commands you can 
execute, e.g. via TACACS, or configured privilege levels.

The holders against foot-shooting are out there.  It's up to you to 
implement them. (And to complain to your vendor if you find them lacking.)

	-- Niels.

-- 