[rancid] Alternatives to cleartext password in .cloginrc ?

Matt Almgren matta at surveymonkey.com
Tue May 5 18:38:13 UTC 2015

BTW, I have read some interesting replies in the mailing list archives:

If your poller is not secure it doesn't matter what authentication method you use. So while you could for some platforms set up .shosts or RSA authorized keys, it doesn't really accomplish anything.


If something automated is going to log into a router, it needs an authentication credential.  That's going to have to be stored somewhere. If you store it encrypted, then you're going to need to store the decryption key somewhere.  All that does is rearrange the exposure, not solve it.


If you use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders - for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.

I’m just wondering if there’s any new information or ideas.

Thanks, Matt

From: Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>>
Date: Tuesday, May 5, 2015 at 11:11 AM
To: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?

What are the available options, if any, to using non-cleartext passwords for Rancid in the .cloginrc file?   We also use TAC+ as the backend AAA.

This wasn’t a huge concern for me until I realized that it goes against some of the PCI compliance regulations about storing passwords in the clear.

Thanks, Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150505/ef8bc82a/attachment.html>

More information about the Rancid-discuss mailing list