David Williamson davidw at certaintysolutions.com
Thu Oct 18 16:19:11 UTC 2001

On Thu, Oct 18, 2001 at 09:09:07AM -0700, john heasley wrote:
> > An option to not strip the passwords would also be useful, although I
> is this something folks really want?

Having suggested it, I'd admit that I'm not certain it's what I want.
I have some network gear that's not currently watched by rancid.  Some of
that gear is so far out of production that I really don't care about
tracking actual config changes.  It would be nice to have a repository
of those configs, however, for disaster recovery.  And for that, it
would be nice to have the whole config, intact, including passwords.

This hasn't bitten me with the access or enable passwords, but having
the tacacs+ key stripped out has bitten me a couple of times during a
recovery.  It would probably be ideal if there was an option to encrypt
rancid's output, rather than stripping anything our of the config.
Of course, the key would probably have to go into .cloginrc, which defeats
the point.  There's probably not a better solution to this problem than
simply stripping the passwords, as is done now.

Sorry to ramble on, but I'm really on the fence on this topic.  Sometimes
I think it would be nice to have everything directly in the stored config.
Other times I think it's very very good to not have the passwords exposed.

For those who don't know why it's a good thing to keep the passwords
stripped, here's a perl script to decrypt your console and tty passwords:

perl -ne 'if (/^(.* password )7 ([0-9A-F]*)$/) { print $1; $enc = substr("dsfd;k
foA,.iyewrkldJKDHSUB",substr($2,0,2)); $pw = substr($2,2); foreach $i (0 .. (len
gth($pw)/2)-1) { print pack("c",hex(substr($pw,$i*2,2))^unpack("c",substr($enc,$
i,1))); } print "\n"; } else { print; }'

It's that easy.  (Okay, I got that from someone..I don't speak perl that
well. :)

Hmm...what to do...what to do....


More information about the Rancid-discuss mailing list