[rancid] Alternatives to cleartext password in .cloginrc ?
Lee Rian (CENSUS/TCO FED)
lee.e.rian at census.gov
Tue May 5 21:02:21 UTC 2015
I know one person that installed Rancid on an encrypted USB drive. It doesn't eliminate the risk of cleartext passwords in .cloginrc but it does reduce the exposure.
Regards,
Lee
________________________________
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of Matt Almgren <matta at surveymonkey.com>
Sent: Tuesday, May 5, 2015 2:38 PM
To: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?
BTW, I have read some interesting replies in the mailing list archives:
If your poller is not secure it doesn't matter what authentication method you use. So while you could for some platforms set up .shosts or RSA authorized keys, it doesn't really accomplish anything.
And
If something automated is going to log into a router, it needs an authentication credential. That's going to have to be stored somewhere. If you store it encrypted, then you're going to need to store the decryption key somewhere. All that does is rearrange the exposure, not solve it.
And
If you use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders - for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.
I'm just wondering if there's any new information or ideas.
Thanks, Matt
From: Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>>
Date: Tuesday, May 5, 2015 at 11:11 AM
To: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?
What are the available options, if any, to using non-cleartext passwords for Rancid in the .cloginrc file? We also use TAC+ as the backend AAA.
This wasn't a huge concern for me until I realized that it goes against some of the PCI compliance regulations about storing passwords in the clear.
Thanks, Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150505/fa236dc4/attachment.html>
More information about the Rancid-discuss
mailing list