[rancid] h3crancid doesn't filter passwords

Jethro R Binks jethro.binks at strath.ac.uk
Tue Feb 5 08:40:29 UTC 2013


On Tue, 5 Feb 2013, ignasr at vault13.lt wrote:

> > I have a bunch of updates to make to h3crancid at some point.  If you can
> > give me samples of the lines where you want the passwords removing and the
> > context, I can take a look at incorporating them.
> > 
> > Jethro.
> 
> Thank you. It seems this was easier than I thought. Password ciphers can be
> filtered with
> 
> ###
> --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
> +++ h3crancid   2013-02-04 21:38:27.514053756 +0200
> @@ -367,6 +367,12 @@
>          next;
>      }
> 
> +    # Filter password ciphers
> +    if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
> +        ProcessHistory("","","","$1<removed>$'");
> +        next;
> +    }
> +
>      ProcessHistory("","","","$_");
> 
>      # end of config
> ###
> 
> And this is enough for me for the time being.

I just looked, and the current version I am running has this:

        # Filter out some sensitive data:
        if (/^( ?snmp-agent community (read|write)) (\S+)/) {
            if ($filter_commstr) {
                ProcessHistory("", "", "", "!$1 <removed>$'");
                next;
            } else {
                ProcessHistory("", "", "", "$_");
                next;
            }
        }

        if (
          /^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
          /^( set authentication password (cipher|simple)) (\S+)/ ||
          /^( password (cipher|simple)) (\S+)/ ) {
            if ($filter_pwds >= 1) {
                ProcessHistory("", "", "", "! $1 <removed>$'");
                next;
            } else {
                ProcessHistory("", "", "", "$_");
            }
        }

        ProcessHistory("", "", "", "$_");


Jethro.


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.


More information about the Rancid-discuss mailing list