[rancid] Update configs by an external means

Doug Hughes doug.hughes at keystonenap.com
Thu Oct 5 15:05:52 UTC 2017


It would be interesting to know if :

you can restore the shared-secret from any of the various outputed one
you can only restore from the latest one
you can restore without having it at all.

Do you have any test devices to confirm?

It strikes me as slightly problematic from a security perspective that
it would be possible to restore from any of these, because it means that
you can just keep dumping the config over and over and over again and
get a large sampling of these encrypted strings. If they are all
equivalent, it implies that the key space may not be sufficient since
the more you print it, there's a lot of information leakage.


On 10/5/2017 5:08 AM, Alex DEKKER wrote:
> On 04/10/17 21:50, Dan Anderson wrote:
>> Rather than using a file that's been transferred onto the system, you
>> may be able to have RANCID log in via SSH and run "config\rshow
>> current-config" to dump the config. I'm guessing that there's some
>> other commands that may be useful, but "show current-config" from
>> config mode is how I typically get config copies from Sonicwall
>> firewalls when I'm doing firewall migrations for my customers.
>
> I have started a snwlrancid based on the Mikrotik config fetcher. I
> guess I should just throw it up somewhere for others to have a look
> at. One thing I've noticed is that the obscured encryption keys in VPN
> tunnels change *every time* the config is polled:
>
>
> <         shared-secret
> 4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
> ---
> >         shared-secret
> 4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
>
> So long as it works when it's pasted back in to the firewall then
> great, but obviously this is going to be absurdly noisy unless it's
> replaced with a placeholder with some post-processing. If it's
> replaced with a placeholder then the resulting config cannot be put
> back in to the firewall without some tweaking. Personally, working in
> a team of people who manage Sonicwalls, partial-RANCID is better than
> no RANCID at all.
>
> The main roadblock I hit was that the word "exit" just seems to move
> around at random, and it's not the same "exit" that does this, there
> are loads of exits in the config and any one of them can apparently do
> it:
>
> Index: configs/barkminisonic.rancid
> ===================================================================
> retrieving revision 1.21
> diff -u -4 -r1.21 minisonic.rancid
> @@ -5,8 +5,9 @@
>   rom-version 5.0.5.6
>   model "NSA 220"
>   serial-number C0EA-E42D-XXXX
>   last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
> + exit
>   administration
>       firewall-name MiniSonic
>       no auto-append-suffix
>       admin-name admin
> @@ -20,9 +21,9 @@
>       password constraints-apply-to limited-admins
>       password constraints-apply-to local-users
>       idle-logout-time 25
>       no user-lockout
> -     admin-preempt-action goto-non-configexit
> +     admin-preempt-action goto-non-config
>       admin-preempt-inactivity-timeout 10
>       no inter-admin-messaging
>       no web-management allow-http
>       web-management https-port 443
>
>
> I don't have time to work on this at the moment but I will try and
> make some time to put what I've done so far on Github or similar.
>
> alexd
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

-- 
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562) 	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20171005/cf256850/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keystone-nap.png
Type: image/png
Size: 3476 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20171005/cf256850/attachment.png>


More information about the Rancid-discuss mailing list