[rancid] Re: Rancid and cisco 'autocommand' users?
Austin Schutz
tex at off.org
Wed Apr 25 21:14:32 UTC 2007
On Wed, Apr 25, 2007 at 09:17:50PM +0000, john heasley wrote:
> Wed, Apr 25, 2007 at 10:15:03PM +0100, Randy Bush:
> > >> We're currently involved in a deployment of rancid for some cisco
> > >> equipment that we manage. We're fairly uncomfortable with storing
> > >> full-privilege passwords in plaintext anywhere.
> > >
> > > There are trade-offs to be made/accepted for automation. You can still
> > > limit the exposure, as Ed Ravin has suggested.
> >
> > ask your router vendor why they do not have the equivalent of
> > ~/.ssh/authorized_keys
>
> Indeed, but the pass phrase still needs to be located somewhere or be empty.
>
> and, s/router/device/
I've never really understood the big advantage with empty keys-
if you copy the key somewhere else, and the new host is in the ACL, you will
still be able to log in without authentication, unless there's some further
configuration (that I'm not aware of) to force the key to match the original
host to help keep this from happening.
Austin
More information about the Rancid-discuss
mailing list