can you use SecurID with rancid?

Justin Grote justin at
Tue May 10 03:53:53 UTC 2005

>  We ("real people") use CRYPTOCard access to our various devices (via the
>TACACS+ hooks). SSH is encouraged, but in cases where it isn't available,
>on the trusted parts of our network, there's an occasional Telnet session.
>RANCID uses a fixed (per-device) password and always accesses the devices
>via SSH, as long as the devices are SSH-capable. There are some older boxes
>that don't do SSH, but as we control the infrastructure between the RANCID
>box and those devices, we grin and bear it. SSH is a must-have on any new
>device purchases, however.
We do similar for rancid:
A few of our Cisco edge routers run IOS 12.4 now, which has SSHv2
support (including RSA keypairs, finally). These get connected to with
rancid using individual public keys for each router.
Our Quagga (Cisco-like Linux routers) also use SSHv2.
For the non-SSH routers, we use telnet and a TACACS username that is
restricted to the rancid host's IP only, and is only allowed to run the
show commands required by clogin and the "show run | exclude" password
command (which we modified clogin to run instead of show run), which
removes the easily breakable password lines since we have a per-device
password as a failsafe if our TACACS is down.

I'm so glad Cisco finally got a good implementation of SSH into 12.4. I
know they have two-year release cycles as a rule, but this was so badly
needed in 12.3.

Justin Grote
Network Architect
JWG Networks

More information about the Rancid-discuss mailing list