SSH Authentication

Andrew Partan asp at
Sun Dec 30 17:04:21 UTC 2001

On Sat, Dec 29, 2001 at 11:49:06PM -0800, Romildo Wildgrube wrote:
> I have rancid running and collecting the configs without problems but I 
> don't like the idea of having the cleartext password stored in the 
> .cloginrc file. Is there another way to get the configs without having 
> the clear text password? If so, how can it be inplemented?
> Any help will be much appreciated.

Junipers do this just fine - add your ssh keys to your user
authentication.  Then, if the ssh key itself does not need a
password, you have pasword-less logins.  [Juniper does this with
a per-user ssh authorized_keys file.]

As far as I know, no other router has the ability to have per user
ssh authorized keys.

So every other box requires a user & a password to log in - and
that password has to be kept somewhere.

We could keep the passwords in a person's head, but that is not
useful for automated tools.  We could keep them in an encrypted
file, but then rancid would need to know the password to decrypt
that file, so we are back to where we started - using a mode 600
file to keep the passwords in and relying on Unix security to
protect these secrets.

If anyone has thoughts on how to do this better, please let us
know.  So far I haven't thought of anything useful.

Some folks have tried to set up their router configs so that the
rancid user has read-only perms on the router (it can only run its
commands & can't change anything).  If folks have any configs to
do this, we could add these notes to rancid.


More information about the Rancid-discuss mailing list