RANCID login info
Justin Grote
justin at grote.name
Thu Jan 26 16:12:01 UTC 2006
Andrew Fort wrote:
> Kanagaraj Krishna wrote:
>
>> Hi,
>> I'm using RANCID config management tool. As we know the login
>> for the equipments/devices are kept in the .cloginrc file. I'm quite
>> worried about this as brings a security vulnerability. Is there a way
>> of keeping the user login password in encrypted format?
>
> No, RANCID doesn't support this presently.
And probably won't until most network devices support hashed passwords
in a standardized format (yeah, thats gonna happen...). Sure you could
encrypt the .cloginrc file and decrypt it on demand for RANCID, but
since the decryption key is part of the automated process, all you do is
obscure the system a little without making it secure (unless you want to
manually type a password to decrypt the keystore each time you run
rancid). This is a usability/security tradeoff that goes in favor of
useability I'm afraid.
In the meantime, just chmod 600 your .cloginrc file so no other users
can view it. Generally then you only have to worry about either a root
or physical compromise, both of which, if happen, you will probably have
more problems than just that .cloginrc.
If you're really paranoid and your devices support RADIUS or OTP, use a
RADIUS read-only user or set up an OTP hook.
If you put mysql usernames and passwords in the configuration files for
PHP apps like MediaWiki and Mambo, you shouldn't worry about RANCID.
--
Justin Grote
Network Architect
JWG Networks
More information about the Rancid-discuss
mailing list