<div dir="ltr">I wrote an article on <a href="http://tacacs.org">tacacs.org</a> on security rancid. However, <a href="http://tacacs.org">tacacs.org</a> appears to be gone. Pretty easy to lock down with do_auth. As for local passwords, if tacacs is properly configured, they are useless. <div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 16, 2014 at 1:30 PM, Daniel Anderson <span dir="ltr"><<a href="mailto:dan.w.anderson@gmail.com" target="_blank">dan.w.anderson@gmail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I would also recommend configuring/using a dedicated network (TACACS/RADIUS) account that only has permissions to run the commands that RANCID uses so that if someone does get the .cloginrc file somehow that it's harder for them to make config changes on the devices.<br>
<br>
--<br>
Dan<br>
<div class="HOEnZb"><div class="h5"><br>
> On Dec 16, 2014, at 2:55 PM, Alan McKinnon <<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>> wrote:<br>
><br>
>> On 16/12/2014 16:43, Jason Humes wrote:<br>
>> Hi<br>
>> Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc.<br>
>><br>
>> Thanks for any advice! :)<br>
><br>
><br>
> Others have explained well how to secure the data rancid produces to<br>
> avoid information leakage.<br>
><br>
> I would add that protecting .cloginrc is very very important as it<br>
> contains login and enable passwords for the admin account on all your<br>
> network devices.<br>
><br>
> Make sure that only authorized sysadmins have login access to the rancid<br>
> host, and that the rancid user's home directory is set with very<br>
> restricted permissions (assuming a user called rancid):<br>
><br>
> chown -R rancid ~rancid<br>
> chmod -R go-rwx ~rancid<br>
><br>
><br>
> Considering what can happen if .cloginrc leaks, it's a good idea to run<br>
> rancid on a dedicated single-purpose host. Rancid is very light on<br>
> resources, a basic VM with 1 cpu and 512M RAM does the job admirably<br>
><br>
><br>
><br>
> --<br>
> Alan McKinnon<br>
> <a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
><br>
> _______________________________________________<br>
> Rancid-discuss mailing list<br>
> <a href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
> <a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br>
_______________________________________________<br>
Rancid-discuss mailing list<br>
<a href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br>
</div></div></blockquote></div></div>
<pre>
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.