[rancid] Rancid / Fortigate

Thu Jun 6 15:20:34 UTC 2013

Thu, Jun 06, 2013 at 08:04:19AM +0000, Richard Savage:
> Many thanks for the patch, that works a treat on the Certificates.  We are still seeing password chainging everytime though.
> 
> 
> -         set password ENC SWXEIX34s+aUBMlwZvFECK4DvTETIr70Kt61g9OaLoDwqjIHop/isuc8ICAmMyeRI9YwXn7FLBpe7UnVfzQa90R447az26V4TpJQKtg6JshN9aM1
> +         set password ENC 60VIeppXE7a/GFxdxOriZ2tWsUKhXD19qT6XAth3vnLP/6tuZk9p9+gSZ2YAHJNCAbKCWcziCI9LFfyRuL2UgumBU+0MHBTFXyC4PZW0S4GkZNI8
> 
> Is there something to prevent this?

The code only filters this if FILTER_PWDS is set.  Is this a new problem with
the fortigate?  ie: did the mfg change the code and cause this issue.  If so,
I'd ask that you complain to the mfg and leave the code until its known if
they'll fix it.

> Thanks
> 
> Rich
> 
> 
> On 05/06/13 15:48, heasley wrote:
> > Wed, Jun 05, 2013 at 12:45:03PM +0000, Richard Savage:
> >> Hi
> >>
> >> I am currently running rancid 2.3.8-3 on a debian server.
> > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.8.p4.gz
> >
> >> I am backing up 3 fortinet firewalls and everytime rancid runs it produces a diff against various things changing.  This
> >> happens on every run even if no config changes have been made to the firewall:
> >>
> >> @@ -2538,7 +2538,7 @@
> >>     end
> >>     config system autoupdate tunneling
> >>         set address ''
> >> -     set password ENC 7rz3NZFEnq39bkDpQoOq1xFb9S+pQwBXZedGObWBC7hC/QYQBMnsGbxKvbtSLtmBELRLqU631S6JPt8jsr0qKo2r10Vv5UzYddzby6Q3tWIls1IC
> >> +     set password ENC 51lWQzr6MmALlpq9n4uTbPbGcL9XHTvXmQ4kMLcz3u2Ua8yt9tkanbZp0J5uaKsiLqgLqEIKnQQFQYKoh+qNcGSeDMsFhHk/H18pPn4nuBQ0IxMq
> >>         set port 0
> >>         set status disable
> >>         set username ''
> >>
> >>
> >> @@ -7474,23 +7474,23 @@
> >>     end
> >>     config vpn certificate local
> >>         edit "Fortinet_Factory"
> >> -         set password ENC NNWSYkoMA+edjwo5LVP2a1M6K20cxS0iN/wkGwA6F39glvzYWmk3z9KoN7L//UR86M3u+8+d7Kk0k79NYf63wkLtpZnxRYWrLPTLeunMQLD5Rz2f
> >> +         set password ENC 0QNWT3omKlWgl1dROK2zvJDEdmhmrOQcre178jDza1qcDDJ4ROArDrJ2mWi5qIFFS6cZs8rIa9rUv34zvfmC/8U/xorbn6g/c1/jKfoCNo5KTP1E
> >>             set private-key "-----BEGIN RSA PRIVATE KEY-----
> >>     Proc-Type: 4,ENCRYPTED
> >> - DEK-Info: DES-EDE3-CBC,A8B9D863C86CD1F9
> >> - 8+cZant/s9PvQE2cK0010WPxMAXo7cp8BnmhCBpjvo7wEKXux+5yasNhe1ZxDcZm
> >> - j7PmNrqqO+J6qG5Whd90Hp9BCJ8eNYQJojW0IfB2RPYocD058bk+kjZ7MPov/JBz
> >> - QgDhnzoP9qFjPzA2GGMQ+1JFMJZI63VlRGUhKnN8xc0X1B9oHnb7U3/d3wipSekM
> >> - eSKd4Sy6kcZJc726OV273pr6ftJyob1tDmIGXZzMRgAzUehFO1w+2u39hPsTOcq/
> >> - IyF/RKTcfXoLilPFwZQvpDzIlurzCCv1ySsxhpFCKLScPaCwaTY6g8qz03VTMC6h
> >> + DEK-Info: DES-EDE3-CBC,39706AFBAD7CE8DF
> >> + 9KJ7kMJlzqKVFwS8dChmvlalrMbIKd0AxSo9VU/Wa1MSPo6HN8IjCAUtcM9zvbSX
> >> + E7aCk75D8vglifkuRqa+wtCcT8xVrEdwnHXpkvc9RH2JPs4JRhOyrYUAsnCMkQp3
> >> + rLS0OditRHWbxG8M5xo5V2dIs7L6wkN7wJ9Rdrj+AKf49bsLayIdTkF4ruG0tBXR
> >> + ugQDLe6G6lCq2CW3y0m6SA5fQE2bXQy0YztDrHSZzzm5wXHhfpEUzmAU9gR1kl/s
> >> + V1+fzVRhIXw2sf8CoH83DLvON0wiNOE/J9BhUgvxq9SzbRPhXrUS/58S1cdr7Wz
> >>
> >>     -----END RSA PRIVATE KEY-----"
> >>
> >>
> >> I have looked back through the archives and found something similar back in 2010 but would assume that the patch has
> >> been integrated into the latest version.
> >>
> >> Could any one suggest a fix for this as its getting slightly annoying getting a diff everytime there is a backup.
> >>
> This e-mail is sent on behalf of NewNet Limited, a company registered in England and Wales, registered number 03128506, registered office Carnac Lodge, Cams Estate, FAREHAM, Hampshire PO16 8UJ and regulated by Ofcom. The information in this e-mail is confidential and is intended solely for the use of that individual or entity to which it is addressed. Unauthorised use, dissemination, distribution, publication or copying of this communication is strictly prohibited. If you receive this in error, please notify us by email to privacy at newnet.co.uk<mailto:privacy at newnet.co.uk> and delete any copies. For information about how we process data and monitor communications please see our privacy statement<http://www.newnet.co.uk/Bottom-Bar/privacy-policy.php>.