can you use SecurID with rancid?

Terry Kennedy terry at
Tue May 10 02:48:42 UTC 2005

> Is it possible to integrate any of the one-time password systems
> (RSA, Secure Computing, Cryptocard, etc) with rancid?

  Even if this could be done, would you really want to? It would involve
having a challenge responder which had full knowledge of the private keys,
etc. used by the one-time password system.

  Much of the appeal of the one-time password system is that users can't
easily leave the password laying around - they carry a token on their per-
son. Leaving the algorithm and keys on the RANCID box might be more of a
risk than some admins might want.

  Also, depending on what underlying method is used (telnet, for example),
regular RANCID sessions to a box would let an attacker build up a nice set
of challenge/response pairs, which might make an attack easier. In the case
of a single host, the attacker gets 24 known-good challenge/response pairs
per day. If multiple boxes share the same algorithm / keys, the number of
good pairs goes up very rapidly.

  I'm not saying it isn't a good idea for your specific application, I'm
just explaining why I never bothered to add CRYPTOCard support to it (we're
a heavy user of these cards here).

        Terry Kennedy   
        terry at             New York, NY USA

More information about the Rancid-discuss mailing list