[rancid] Re: Going beyond community <removed>?

K K kkadow at gmail.com
Wed Aug 27 14:38:08 UTC 2008

On 8/26/08, john heasley <heas at shrubbery.net> wrote:
> Kevin wrote:
> I have a need to not just remove passwords/keys from saved configs,
> but also to know when they change.
. . .
> >      snmp-server community <HASH:ac499d,4> RW
> just create your own md5 for whatever you're removing.  wouldnt seem
> necessary to go though anything more extravagant.

Using the full MD5 hash makes the attacker's job easier, as they
can use rainbow tables or dictionary crack tool, and the defender's
more difficult -- weak or strong, all hashed values look alike.

Truncating the MD5 hash to a few bytes addresses that first issue,
and RANCID would now detect when the original string changes,
with equivalent security as the original  <removed> behavior.

Is there a better way to address my secondary requirement for auditors,
enabling them to validate not only that the shared secret is changed
regularly, but also that "strong" communities are used?

Preferably building on tried-and-true crypto rather than roll-my-own,
but without saving huge blobs of PGP-encrypted stuff.


More information about the Rancid-discuss mailing list