Rancid+Cisco privs?

Lars Erik Gullerud lerik at nolink.net
Thu Nov 24 11:13:47 UTC 2005

On Wed, 23 Nov 2005, Shaun wrote:

> I just setup rancid and all it working fine but now I want to secure things
> a bit.  Right now the user rancid logs into my Cisco gear with has a priv of
> 15 but I want to lock this user down so that the user only have privs to do
> what rancid needs to do.  I'm not very familiar with rancid, it's my first
> time using it so I'm not really sure what it's doing in the back end.  I
> searched around a bit but couldn't really find much on this subject.  Right
> now all my equipment rancid it polling is IOS.
> Will a priv 1 be enough access for rancid?

What we do is to hack rancid and replace "show running-config" and "write 
term" with "show startup-config" instead. After that you can play around 
with lower privileges as you like (we run rancid user as level 2 and 
allow other commands like the "dir" commands via privilege-lines in IOS). 
But you can't show the complete running-config without being 
level 15 or lowering everything else down to rancids level (which is, in 
effect, the same thing... :)

However, this solution means you do not get any config diffs to 
running-config, so if people forget to do a "write", well, then rancid 
doesn't catch it.


More information about the Rancid-discuss mailing list