[rancid] Re: unencrypted passwords in .cloginrc ...
Joseph Jackson
JJackson at aninetworks.com
Thu Oct 26 23:26:54 UTC 2006
> -----Original Message-----
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of
> Austin Schutz
> Sent: Thursday, October 26, 2006 3:09 PM
> To: John Dworske
> Cc: rancid-discuss at shrubbery.net
> Subject: [rancid] Re: unencrypted passwords in .cloginrc ...
>
> On Thu, Oct 26, 2006 at 02:28:54PM -0700, John Dworske wrote:
> >
> >
> > Rancid Folks,
> >
> > Is there any way getting around using unencrypted passwords in the
> > .cloginrc file ? My co-workers will not let me use rancid
> unless we
> > can come up with something more secure ?
> >
>
> If your poller is not secure it doesn't matter what
> authentication method you use. So while you could for some
> platforms set up .shosts or RSA authorized keys, it doesn't
> really accomplish anything.
>
> How is it you do your snmp polling without the snmp
> poller having the unencrypted community string? Answer: you
> don't. This really isn't any different. Use strict ACLs to
> make sure the number of hosts allowed access it small. Use
> ssh and not telnet for polling. Be very strict about poller security.
>
> Austin
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
I got around this issue by using TACACS+ and setting what commands the
rancid user can run on the routers/switches. That's really the best
solution in my book... :)
More information about the Rancid-discuss
mailing list