can you use SecurID with rancid?

[Jeff Aitken]

On Mon, May 09, 2005 at 08:23:01PM -0700, Mark Boolootian wrote:
> All good points, but where am I left if I want to protect my network
> gear with OTPs and still run rancid?  It seems they are mutually 
> incompatible.  I can create a single instance of a reusable password to be
> used for rancid logins, but that doesn't improve the situation.

Presumably rancid won't be the only tool for which you'll need to
solve this problem, so you do want to consider just how many holes
and backdoors you go poking in things.  For example, do you script
config changes?  What about allowing access by third parties
(contractors, vendors, whatever)?  How will you roll out a global
network change if you have to do an OTP dance to get into each and
every router?  As you note, if you have a user who doesn't have to
use OTPs, then this becomes a security through obscurity exercise
(i.e., hope the attacker doesn't guess/find out about your "special"
account).

An alternative method is to limit VTY access to network devices to
only a few trusted hosts, then make those hosts "more" secure.  Use
ACLs to limit VTY access to network devices to only two hosts, A
and B.  Next, require that users pass an OTP challenge, as well as
supply a standard password, in order to access A or B.  Then run
rancid and whatever other tools you need on host A or host B. 
Ultimately, this means your network security depends on the
integrity of the two hosts, which might be a better approach for 
you (or might not be, I don't know).

Obviously, there are a lot of things you'll need to do in order to
secure & maintain hosts A & B (firewalls, IDSes, having mroe than two 
hosts, and so on).


--Jeff