[rancid] Re: Going beyond community <removed>?
john heasley
heas at shrubbery.net
Wed Aug 27 04:40:18 UTC 2008
Tue, Aug 26, 2008 at 09:20:27PM -0500, K K:
> I have a need to not just remove passwords/keys from saved configs,
> but also to know when they change.
>
> Specifically, I was thinking of replacing the actual password or community
> with a high-collision hash of the password, followed by the number of
> "bits of entropy", similar to the calculator found here:
> http://www.certainkey.com/demos/password/
>
> Would there be interest in a patch to add this feature to RANCID?
>
>
> For example if I have a router with this SNMP community:
> snmp-server community AndBobsYourUncle RW
>
> Right now RANCID just shows <removed> for the community string,
> instead I would like to have it show something like:
>
> snmp-server community <HASH:ac499d,4> RW
just create your own md5 for whatever you're removing. wouldnt seem
necessary to go though anything more extravagant.
> In this case, '4' is a generous estimate of the bits of entropy.
> With a correctly implemented hash, this isn't sufficient information
> to crack the community string from looking at the saved config,
> but does give an auditor confidence that communities and keys are
> being chosen correctly, and changed on schedule.
>
>
> Kevin
>
> (P.S. Yes, the "bits of entropy" would only be useful for cleartext keys,
> not for Cisco "Type 5", ASA radius keys or other encrypted values.)
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
More information about the Rancid-discuss
mailing list