[rancid] Alternatives to cleartext password in .cloginrc ?

rdrake rdrake at direcpath.com
Tue May 5 18:57:37 UTC 2015



On 05/05/2015 02:38 PM, Matt Almgren wrote:
>
> BTW, I have read some interesting replies in the mailing list archives:
>
> *If your poller is not secure it doesn't matter what authentication 
> **method you use.* So while you could for some platforms set up 
> .shosts or RSA authorized keys, it doesn't really accomplish anything.
>
> And
>
> If something automated is going to log into a router, it needs an 
> authentication credential.  That's going to have to be stored 
> somewhere. If you store it encrypted, then you're going to need to 
> store the decryption key somewhere. *All that does is rearrange the 
> exposure, not solve it.*
>
> And
>
> If you*use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders*- for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.
>
>
> I’m just wondering if there’s any new information or ideas.
>
> Thanks, Matt
>

If you're okay with not using Expect, you could use my perl tel script:

https://github.com/rfdrake/tel

It supports storing the password in Keepass and Keyrings (Gnome, KDE and 
MacOS).  I honestly recommend you stick with clogin on a very secure 
machine for rancid, but for interactive logins in a NOC environment I 
would recommend doing something with a keyring or password vault.

Yes, you do need to store the decryption key somewhere, but that should 
be only in a protected memory space that only that user and superuser 
could access.  Obviously you'll need to tailor your security to your own 
environment and needs.

Alternatives to this:

If you need one time keys and all your routers support them then tacacs 
will also do this (I think.  I'm not sure how you would go about setting 
up rancid to use it but I imagine it would be cumbersome.  I would just 
bypass it for rancid use).

If all your routers support ssh user keys then you should use them and 
use passphrases to protect security.  Revocation can happen through 
whatever means the router supports (something custom I suspect, but 
maybe puppet on some boxes?).  At one point in time I thought about 
modifying tacacs to support ssh user key distribution (so on a login 
request it would ask the tacacs server for the users public key).  I 
ended up getting distracted.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150505/9c9ef17b/attachment.html>


More information about the Rancid-discuss mailing list