[rancid] Securing RANCID installation

Joseph Jackson jjackson at aninetworks.net
Wed Jan 7 22:08:17 UTC 2015 

Just for future reference here is my tacacs+ config that only allows rancid user to do show commands it needs to run.

user = rancid2 {
        member = rancid
        login = 
    }


group = rancid {
        default service = deny
        service = exec {
        priv-lvl = 6
        }
        cmd = show {
        permit .*
        }
        cmd = write {
        permit term
        }
        cmd = dir {
        permit .*
        }
        cmd = admin {
        permit .*
        }
        cmd = more {
        permit .*
        }

-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aaron Block
Sent: Wednesday, January 07, 2015 4:06 PM
To: Daniel Schmidt
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Securing RANCID installation


> On Dec 17, 2014, at 5:22 PM, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> 
> I wrote an article on tacacs.org on security rancid.  However, tacacs.org appears to be gone.  Pretty easy to lock down with do_auth.  As for local passwords, if tacacs is properly configured, they are useless.  
> 


tacacs.org appears to be back.

Aaron Block


_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

More information about the Rancid-discuss mailing list