[rancid] Going beyond community <removed>?
kkadow at gmail.com
Wed Aug 27 02:20:27 UTC 2008
I have a need to not just remove passwords/keys from saved configs,
but also to know when they change.
Specifically, I was thinking of replacing the actual password or community
with a high-collision hash of the password, followed by the number of
"bits of entropy", similar to the calculator found here:
Would there be interest in a patch to add this feature to RANCID?
For example if I have a router with this SNMP community:
snmp-server community AndBobsYourUncle RW
Right now RANCID just shows <removed> for the community string,
instead I would like to have it show something like:
snmp-server community <HASH:ac499d,4> RW
In this case, '4' is a generous estimate of the bits of entropy.
With a correctly implemented hash, this isn't sufficient information
to crack the community string from looking at the saved config,
but does give an auditor confidence that communities and keys are
being chosen correctly, and changed on schedule.
(P.S. Yes, the "bits of entropy" would only be useful for cleartext keys,
not for Cisco "Type 5", ASA radius keys or other encrypted values.)
More information about the Rancid-discuss