[rancid] Re: Going beyond community <removed>?

Austin Schutz tex at off.org
Wed Aug 27 16:16:09 UTC 2008


On Wed, Aug 27, 2008 at 09:38:08AM -0500, K K wrote:
> On 8/26/08, john heasley <heas at shrubbery.net> wrote:
> > Kevin wrote:
> > I have a need to not just remove passwords/keys from saved configs,
> > but also to know when they change.
> . . .
> > >      snmp-server community <HASH:ac499d,4> RW
> >
> > just create your own md5 for whatever you're removing.  wouldnt seem
> > necessary to go though anything more extravagant.
> 
> Using the full MD5 hash makes the attacker's job easier, as they
> can use rainbow tables or dictionary crack tool, and the defender's
> more difficult -- weak or strong, all hashed values look alike.
> 
> Truncating the MD5 hash to a few bytes addresses that first issue,
> and RANCID would now detect when the original string changes,
> with equivalent security as the original  <removed> behavior.
> 
> 
> Is there a better way to address my secondary requirement for auditors,
> enabling them to validate not only that the shared secret is changed
> regularly, but also that "strong" communities are used?
> 

	This seems pretty smart to me, and a useful feature. My only comment
would be that this is really more like using a CRC checksum- it's not really a
matter of cryptography. You could use Digest::MD5 if you wanted to go the
MD5 route, or maybe Digest::CRC if not.

	Austin


More information about the Rancid-discuss mailing list