[rancid] Re: Going beyond community <removed>?

john heasley heas at shrubbery.net
Wed Aug 27 04:40:18 UTC 2008

Tue, Aug 26, 2008 at 09:20:27PM -0500, K K:
> I have a need to not just remove passwords/keys from saved configs,
> but also to know when they change.
> Specifically, I was thinking of replacing the actual password or community
> with a high-collision hash of the password, followed by the number of
> "bits of entropy", similar to the calculator found here:
>      http://www.certainkey.com/demos/password/
> Would there be interest in a patch to add this feature to RANCID?
> For example if I have a router with this SNMP community:
>      snmp-server community AndBobsYourUncle RW
> Right now RANCID just shows <removed> for the community string,
> instead I would like to have it show something like:
>      snmp-server community <HASH:ac499d,4> RW

just create your own md5 for whatever you're removing.  wouldnt seem
necessary to go though anything more extravagant.

> In this case, '4' is a generous estimate of the bits of entropy.
> With a correctly implemented hash, this isn't sufficient information
> to crack the community string from looking at the saved config,
> but does give an auditor confidence that communities and keys are
> being chosen correctly, and changed on schedule.
> Kevin
> (P.S. Yes, the "bits of entropy" would only be useful for cleartext keys,
> not for Cisco "Type 5", ASA radius keys or other encrypted values.)
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list