RANCID login info
Ed Ravin
eravin at panix.com
Thu Jan 26 17:33:16 UTC 2006
On Thu, Jan 26, 2006 at 05:11:45PM +0800, Kanagaraj Krishna wrote:
> I'm using RANCID config management tool. As we know the login for the
> equipments/devices are kept in the .cloginrc file. I'm quite worried about
> this as brings a security vulnerability. Is there a way of keeping the
> user login password in encrypted format?
If you get a root-level compromise on your RANCID box, even if the
passwords are stored in encrypted format, an intelligent intruder
would be able to find them. After all, RANCID has to be able to
decrypt the passwords somehow.
Since the .cloginrc is executed just like another expect script - you
could write your own code to read encrypted passwords from somewhere
else and decrypt them on the fly. That would at least keep the passwords
reasonably safe in your backups, if you're not encrypted the backups.
Of course, the program would need the key to decrypt the passwords, which
itself might end up on your backup tape unencrypted or be obtained by an
intruder during a breakin.
More information about the Rancid-discuss
mailing list