<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>It would be interesting to know if :</p>
<p>you can restore the shared-secret from any of the various
outputed one<br>
you can only restore from the latest one<br>
you can restore without having it at all.</p>
<p>Do you have any test devices to confirm?</p>
<p>It strikes me as slightly problematic from a security perspective
that it would be possible to restore from any of these, because it
means that you can just keep dumping the config over and over and
over again and get a large sampling of these encrypted strings. If
they are all equivalent, it implies that the key space may not be
sufficient since the more you print it, there's a lot of
information leakage.<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/5/2017 5:08 AM, Alex DEKKER
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a169dccb-510f-226e-f8d0-bdd5dab0db4f@ale.cx">On 04/10/17
21:50, Dan Anderson wrote:
<br>
<blockquote type="cite">Rather than using a file that's been
transferred onto the system, you may be able to have RANCID log
in via SSH and run "config\rshow current-config" to dump the
config. I'm guessing that there's some other commands that may
be useful, but "show current-config" from config mode is how I
typically get config copies from Sonicwall firewalls when I'm
doing firewall migrations for my customers.
<br>
</blockquote>
<br>
I have started a snwlrancid based on the Mikrotik config fetcher.
I guess I should just throw it up somewhere for others to have a
look at. One thing I've noticed is that the obscured encryption
keys in VPN tunnels change *every time* the config is polled:
<br>
<br>
<br>
< shared-secret
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035<br>
---
<br>
> shared-secret
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba<br>
<br>
So long as it works when it's pasted back in to the firewall then
great, but obviously this is going to be absurdly noisy unless
it's replaced with a placeholder with some post-processing. If
it's replaced with a placeholder then the resulting config cannot
be put back in to the firewall without some tweaking. Personally,
working in a team of people who manage Sonicwalls, partial-RANCID
is better than no RANCID at all.
<br>
<br>
The main roadblock I hit was that the word "exit" just seems to
move around at random, and it's not the same "exit" that does
this, there are loads of exits in the config and any one of them
can apparently do it:
<br>
<br>
Index: configs/barkminisonic.rancid
<br>
===================================================================
<br>
retrieving revision 1.21
<br>
diff -u -4 -r1.21 minisonic.rancid
<br>
@@ -5,8 +5,9 @@
<br>
rom-version 5.0.5.6
<br>
model "NSA 220"
<br>
serial-number C0EA-E42D-XXXX
<br>
last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10
16:07:22"
<br>
+ exit
<br>
administration
<br>
firewall-name MiniSonic
<br>
no auto-append-suffix
<br>
admin-name admin
<br>
@@ -20,9 +21,9 @@
<br>
password constraints-apply-to limited-admins
<br>
password constraints-apply-to local-users
<br>
idle-logout-time 25
<br>
no user-lockout
<br>
- admin-preempt-action goto-non-configexit
<br>
+ admin-preempt-action goto-non-config
<br>
admin-preempt-inactivity-timeout 10
<br>
no inter-admin-messaging
<br>
no web-management allow-http
<br>
web-management https-port 443
<br>
<br>
<br>
I don't have time to work on this at the moment but I will try and
make some time to put what I've done so far on Github or similar.
<br>
<br>
alexd
<br>
<br>
_______________________________________________
<br>
Rancid-discuss mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<table>
<tbody>
<tr>
<td style="padding-left: 20px" width="90%">Doug Hughes<br>
Keystone NAP<br>
Fairless Hills, PA<br>
1.844.KEYBLOCK (539.2562)</td>
<td style="align: right;padding-right: 20px"><img
src="cid:part1.D1161DAD.C6AFB42F@keystonenap.com">
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>