[rancid] Re: Rancid and cisco 'autocommand' users?

john heasley heas at shrubbery.net
Wed Apr 25 23:03:30 UTC 2007


Wed, Apr 25, 2007 at 03:45:28PM -0700, Russell Jackson:
> Jeffrey C. Ollie wrote:
> > On Wed, 2007-04-25 at 15:19 -0700, Russell Jackson wrote:
> >> Only the public key is stored on the remote end. Stealing it would gain an attacker
> >> nothing; in fact, you could store the public key on a web site or broadcast it over email
> >> safely. With public key authentication, the passphrase nor private key is ever transmitted
> >> across the wire.
> > 
> > But the private key must be stored unencrypted on the host running
> > rancid, or rancid needs to know the passphrase to decrypt the private
> > key.  Not that much better than storing the unencrypted password on the
> > host running rancid.  As John Heasley said above, there are tradeoffs to
> > be made if you want things automated.
> > 
> 
> Not entirely true. You could use the key agent to hold the decrypted key in memory but
> leave the file encrypted. The downside to that is that you'd have to input the passphrase
> when/if the key agent died (reboot, etc...).

Doesn't seem like that much extra effort to get the key from core if you're
clever.



More information about the Rancid-discuss mailing list