[rancid] h3crancid doesn't filter passwords

ignasr at vault13.lt ignasr at vault13.lt
Tue Feb 5 10:20:07 UTC 2013


On 2013.02.05 10:40, Jethro R Binks wrote:
> On Tue, 5 Feb 2013, ignasr at vault13.lt wrote:
>
>>> I have a bunch of updates to make to h3crancid at some point.  If you can
>>> give me samples of the lines where you want the passwords removing and the
>>> context, I can take a look at incorporating them.
>>>
>>> Jethro.
>>
>> Thank you. It seems this was easier than I thought. Password ciphers can be
>> filtered with
>>
>> ###
>> --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
>> +++ h3crancid   2013-02-04 21:38:27.514053756 +0200
>> @@ -367,6 +367,12 @@
>>           next;
>>       }
>>
>> +    # Filter password ciphers
>> +    if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
>> +        ProcessHistory("","","","$1<removed>$'");
>> +        next;
>> +    }
>> +
>>       ProcessHistory("","","","$_");
>>
>>       # end of config
>> ###
>>
>> And this is enough for me for the time being.
>
> I just looked, and the current version I am running has this:
>
>          # Filter out some sensitive data:
>          if (/^( ?snmp-agent community (read|write)) (\S+)/) {
>              if ($filter_commstr) {
>                  ProcessHistory("", "", "", "!$1 <removed>$'");
>                  next;
>              } else {
>                  ProcessHistory("", "", "", "$_");
>                  next;
>              }
>          }
>
>          if (
>            /^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
>            /^( set authentication password (cipher|simple)) (\S+)/ ||
>            /^( password (cipher|simple)) (\S+)/ ) {
>              if ($filter_pwds >= 1) {
>                  ProcessHistory("", "", "", "! $1 <removed>$'");
>                  next;
>              } else {
>                  ProcessHistory("", "", "", "$_");
>              }
>          }
>
>          ProcessHistory("", "", "", "$_");
>
>
> Jethro.

Thank you for the snippet. I was using h3crancid from 
https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have 
this code.

IgnasR



More information about the Rancid-discuss mailing list