<div dir="ltr">Use tacacs - use do_auth. Make rancid user that can only type a few commands and only when logged in from that IP. If somebody get my rancid password, it's practically useless. <div><br></div><div><a href="http://www.tacacs.org/tacacsplus/2011/03/02/securing-rancid-with-do_auth">http://www.tacacs.org/tacacsplus/2011/03/02/securing-rancid-with-do_auth</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 5, 2015 at 12:38 PM, Matt Almgren <span dir="ltr"><<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div><br>
</div>
<div>
<div>BTW, I have read some interesting replies in the mailing list archives:</div>
<div><br>
</div>
<div>
<div><b>If your poller is not secure it doesn't matter what authentication </b><b>method you use.</b> So while you could for some platforms set up .shosts or RSA authorized keys, it doesn't really accomplish anything.</div>
<div><br>
</div>
<div>And</div>
<div><br>
</div>
<div>If something automated is going to log into a router, it needs an authentication credential. That's going to have to be stored somewhere. If you store it encrypted, then you're going to need to store the decryption key somewhere. <b>All that does is
rearrange the exposure, not solve it.</b></div>
<div style="font-family:Calibri"><br>
</div>
<div style="font-family:Calibri">And</div>
<div style="font-family:Calibri"><br>
</div>
<div style="font-family:Calibri">
<pre><font face="Calibri">If you <b>use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders </b>- for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.</font></pre>
<div><font face="Calibri"><br>
</font></div>
</div>
</div>
<div><br>
</div>
<div>I’m just wondering if there’s any new information or ideas. </div>
<div><br>
</div>
<div>Thanks, Matt</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Matt Almgren <<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, May 5, 2015 at 11:11 AM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:rancid-discuss@shrubbery.net" target="_blank">rancid-discuss@shrubbery.net</a>" <<a href="mailto:rancid-discuss@shrubbery.net" target="_blank">rancid-discuss@shrubbery.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [rancid] Alternatives to cleartext password in .cloginrc ?<br>
</div><span class="">
<div><br>
</div>
<div>
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div><br>
</div>
</div>
</div>
<span>
<div>
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>
<div>What are the available options, if any, to using non-cleartext passwords for Rancid in the .cloginrc file? We also use TAC+ as the backend AAA. </div>
<div><br>
</div>
<div>This wasn’t a huge concern for me until I realized that it goes against some of the PCI compliance regulations about storing passwords in the clear. </div>
<div>
<div><br>
</div>
<div>Thanks, Matt</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
</div>
</span></span>
</div>
<br>_______________________________________________<br>
Rancid-discuss mailing list<br>
<a href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>