[rancid] Re: Rancid and cisco 'autocommand' users?

Russell Jackson raj at csub.edu
Wed Apr 25 22:45:28 UTC 2007


Jeffrey C. Ollie wrote:
> On Wed, 2007-04-25 at 15:19 -0700, Russell Jackson wrote:
>> Only the public key is stored on the remote end. Stealing it would gain an attacker
>> nothing; in fact, you could store the public key on a web site or broadcast it over email
>> safely. With public key authentication, the passphrase nor private key is ever transmitted
>> across the wire.
> 
> But the private key must be stored unencrypted on the host running
> rancid, or rancid needs to know the passphrase to decrypt the private
> key.  Not that much better than storing the unencrypted password on the
> host running rancid.  As John Heasley said above, there are tradeoffs to
> be made if you want things automated.
> 

Not entirely true. You could use the key agent to hold the decrypted key in memory but
leave the file encrypted. The downside to that is that you'd have to input the passphrase
when/if the key agent died (reboot, etc...).

-- 
Russell A. Jackson <raj at csub.edu>
Network Analyst
California State University, Bakersfield

The only thing that stops God from sending a second Flood is that
the first one was useless.
		-- Nicolas Chamfort
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070425/140faf38/attachment.bin 


More information about the Rancid-discuss mailing list